Bug Report
Problematic Behavior
When going through the sale tunnel, attempting to subscribe after updating user's full name results in a 403 error (CSRF Failed) when the PATCH request is sent to the Open edX user API.
The browser console shows:
Response:
PATCH <https://lms.fun-mooc.fr/api/user/v1/accounts/username> 403 Forbidden
{"detail":"CSRF Failed: CSRF token missing or incorrect."}
Expected behavior/code
Users should be able to update their name from the sale tunnel within Richie.
In preproduction, the update works as expected and correctly updates the "Full Name" field on the Open edX account settings page: https://lms.fun-mooc.fr/account/settings
Steps to Reproduce
- Go to a training on fun-mooc.fr
- Open the sale tunnel
- Attempt to update the full name field
- Click on Subscribe
- Observe the 403 (CSRF Failed) error in the browser console
Environment
- Richie version: 1.44.0
- Platform: production
Possible Cause
It seems the issue comes from sending the request from www.fun-mooc.fr to lms.fun-mooc.fr, and the expected CSRF token is not accessible in this context.
- In preprod, the domain has an
edx_csrf_token cookie, whose value matches the edx_csrf_token expected by the LMS. This token is therefore accepted when sent in authenticated requests.
- In production, the domain
www.fun-mooc.fr does not have the edx_csrf_token cookie. It only has a csrftoken which does not match the one expected by the LMS (lms.fun-mooc.fr) and is not usable for authentication. As a result, the PATCH request systematically fails with a CSRF error.
Additional context/Screenshots
- An error is also reported in Sentry, pointing to
openedx-fonzie.ts:
Error: [POST - Account] > 403 -
at call(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:89:22)
at tryCatch(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
at _invoke(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
at a(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
at asyncGeneratorStep(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
at _throw(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
|
handle(new Error(`[POST - Account] > ${e.code} - ${e.message}`)); |
More context:
Bug Report
Problematic Behavior
When going through the sale tunnel, attempting to subscribe after updating user's full name results in a 403 error (CSRF Failed) when the PATCH request is sent to the Open edX user API.
The browser console shows:
Response:
Expected behavior/code
Users should be able to update their name from the sale tunnel within Richie.
In preproduction, the update works as expected and correctly updates the "Full Name" field on the Open edX account settings page: https://lms.fun-mooc.fr/account/settings
Steps to Reproduce
Environment
Possible Cause
It seems the issue comes from sending the request from
www.fun-mooc.frtolms.fun-mooc.fr, and the expected CSRF token is not accessible in this context.edx_csrf_tokencookie, whose value matches theedx_csrf_tokenexpected by the LMS. This token is therefore accepted when sent in authenticated requests.www.fun-mooc.frdoes not have theedx_csrf_tokencookie. It only has acsrftokenwhich does not match the one expected by the LMS (lms.fun-mooc.fr) and is not usable for authentication. As a result, the PATCH request systematically fails with a CSRF error.Additional context/Screenshots
openedx-fonzie.ts:richie/src/frontend/js/api/lms/openedx-fonzie.ts
Line 89 in cfad257
More context: