CSRF token verification failed (https and nginx has set https)

jeffreycheung95119 · June 17, 2024, 8:47am

Used Zammad version: 6.3.1
Used Zammad installation type: (source, package, docker-compose, …)
Operating system: ubuntu 22.04.4 LTS
Browser + version: Version 126.0.6478.61 (Official Build) (64-bit)

Expected behavior:

it should no CSRF token verification failed.

we cannot send email by “Trigger”, we found that the logs has CSRF token verification failed when POST /api/v1/message_send.

Actual behavior:

Steps to reproduce the behavior:

we have set nginx with proxy_set_header X-Forwarded-Proto https;

but the in the logs we still can see CSRF token verification failed

I, [2024-06-16T09:19:11.149723#19951-149420] INFO – : Started POST “/api/v1/message_send” for xxx.xxx.xxx.xx at 2024-06-16 09:19:11 +0800
I, [2024-06-16T09:19:11.154376#19951-149420] INFO – : Processing by LongPollingController#message_send as JSON
I, [2024-06-16T09:19:11.154454#19951-149420] INFO – : Parameters: {“data”=>{“event”=>“login”}}
I, [2024-06-16T09:19:11.158510#19951-149420] INFO – : CSRF token verification failed
I, [2024-06-16T09:19:11.158659#19951-149420] INFO – : CSRF token verification failed! (Exceptions::NotAuthorized)
app/controllers/application_controller/prevents_csrf.rb:36:in verify_csrf_token' app/controllers/application_controller/has_download.rb:17:in block (4 levels) in module:HasDownload’
app/controllers/application_controller/has_download.rb:16:in block (3 levels) in <module:HasDownload>' app/controllers/application_controller/has_download.rb:15:in block (2 levels) in module:HasDownload’
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction’
I, [2024-06-16T09:19:11.159689#19951-149420] INFO – : Completed 401 Unauthorized in 5ms (Views: 0.1ms | ActiveRecord: 0.7ms | Allocations: 2136)

MrGeneration · August 22, 2024, 12:57pm

/api/v1/message_send is the AJAX fallback if websockets are not working. Ensure that websockets are working and reload the web interface if the client cannot recover the websocket connection (which it theoretically should) for whatever reason.

Note that this fallback will be obsolete in the new tech stack when it arrives. So being ready now is better than later.

damipaceit · May 9, 2025, 2:15pm

Hi, I receive same message /api/v1/message_send, I’m using nginx. How Can I solve?
Thanks

Same problem for me CSRF tocket verification failed!

j_angelo · June 19, 2025, 6:40pm

I ran into this issue with a fresh install. According to ther docs, you need to set the docker environment variable NGINX_SERVER_SCHEME to https

Docker Environment Variables

If the Nginx container for Zammad is not the upstream server (aka you’re using another proxy in front of nginx) $scheme may be wrong. You can set the correct scheme http or https if needed.

In my case, I’m using traefik as my reverse proxy. In the past, when I set this up with nginx proxy manager on the same VM, I didn’t have to set this value. The only extra config I did was to add the external network nginx proxy manager was using to the zammad’s nginx container