Included expected and actual origin in csrf error (#9974)

refs #9865 refs #9972 The previous error message did not have enough information for a user to self diagnose issues on their blog.
2023-12-13 21:00:40 +01:00 · 2018-10-10 14:36:45 +07:00 · 2018-10-10 14:36:45 +07:00 · f9c8f2d0da
parent 150c0d4de7
commit f9c8f2d0da
2 changed files with 8 additions and 4 deletions
--- a/core/server/services/auth/session/middleware.js
+++ b/core/server/services/auth/session/middleware.js
@ -104,9 +104,13 @@ const cookieCsrfProtection = (req, res, next) => {
        return next();
    }

-    if (req.session.origin !== getOrigin(req)) {
+    const origin = getOrigin(req);
+    if (req.session.origin !== origin) {
        return next(new common.errors.BadRequestError({
-            message: common.i18n.t('errors.middleware.auth.mismatchedOrigin')
+            message: common.i18n.t('errors.middleware.auth.mismatchedOrigin', {
+                expected: req.session.origin,
+                actual: origin
+            })
        }));
    }

--- a/core/server/translations/en.json
+++ b/core/server/translations/en.json
@ -73,8 +73,8 @@
                "clientCredentialsNotProvided": "Client credentials were not provided",
                "clientCredentialsNotValid": "Client credentials were not valid",
                "forInformationRead": "For information on how to fix this, please read {url}.",
-                "unknownOrigin": "Could not determine origin of request. Please ensure an Origin or Referrer header is present",
-                "mismatchedOrigin": "Request made from incorrect origin.",
+                "unknownOrigin": "Could not determine origin of request. Please ensure an Origin or Referrer header is present.",
+                "mismatchedOrigin": "Request made from incorrect origin. Expected '{expected}' received '{actual}'.",
                "missingUserIDForSession": "Cannot create session without user id.",
                "accessDenied": "Access denied.",
                "pleaseSignIn": "Please Sign In"