Error: 422 can't verify CSRF token authenticity on explore page

[da5nsy]

Steps to reproduce the problem

1. Visit typo.social/explore
2. Scroll down
3. See error:

On desktop (Windows, Firefox) no error is produced, but scrolling stops at the same point, suggesting to me that the error occurs but is not communicated.

Expected behaviour

No error

Actual behaviour

Error (and then no additional posts will load)

Detailed description

Also reported here:

• https://www.reddit.com/r/Mastodon/comments/18fmda5/422_cant_verify_csrf_token_authenticity/?rdt=43597
• https://mementomori.social/@rolle/110802929745486086
• Possible duplicate of Can't Verify CSRF token authenticity #1236 (I can't tell)

Mastodon instance

typo.social

Mastodon version

v4.2.8

Browser name and version

Firefox on Android, 124.2.0 (Build #2016012559), 7a0e399c7b+ GV: 124.0.2-20240401114208 AS: 124.0 2024-04-01T17:18:00.821594648

Operating system

Android 13

Technical details

No response

[ClearlyClaire]

I am unable to reproduce this issue, and no request here should involve a CSRF token afaik.

[da5nsy]

I am currently able to reproduce reliably. Are there any logs or additional info I could provide?

[ClearlyClaire]

If you are able to get your browser's network log (which is more work on mobile), I would be interested in knowing which request fails with a 422 error.

[da5nsy]

You were correct - that did indeed take some work haha

Response headers

HTTP/2 422 
date: Fri, 03 May 2024 10:05:17 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: *
access-control-allow-methods: POST, PUT, DELETE, GET, PATCH, OPTIONS
access-control-expose-headers: Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id
access-control-max-age: 7200
server: Mastodon
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: same-origin
x-ratelimit-limit: 300
x-ratelimit-remaining: 298
x-ratelimit-reset: 2024-05-03T10:10:00.861004Z
cache-control: private, no-store
content-security-policy: default-src 'none'; frame-ancestors 'none'; form-action 'none'
x-request-id: af3d3c4d-49f7-4f9f-ac2f-eb41e77f7b48
x-runtime: 0.004334
strict-transport-security: max-age=63072000; includeSubDomains
vary: Authorization, Origin
X-Firefox-Spdy: h2

Request headers

PUT /api/web/settings HTTP/2
Host: typo.social
User-Agent: Mozilla/5.0 (Android 13; Mobile; rv:125.0) Gecko/125.0 Firefox/125.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB
Accept-Encoding: gzip, deflate, br
Referer: https://typo.social/explore
Content-Type: application/json
Content-Length: 1308
Origin: https://typo.social
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
TE: trailers

---

Notes to future self: to do this:

• install adb by installing android studio
• Add adb to path
• Follow these instructions to connect
• Click on network
• (Don't try to use HTTP Toolkit - it looks like a cool tool but struggles with third party apps, e.g. Firefox if device is not rooted)

[ClearlyClaire]

Thanks, that is very helpful! It seems like the failing request is not preventing browsing /explore at all but the app is for some reason trying to save settings… that failing is unsurprising, but I'm not sure why it is even trying. I will investigate!

[ClearlyClaire]

I still can't reproduce the issue nor find a code path that would trigger an attempt to save settings. Can you reliably reproduce this? If so, are you doing anything unusual? Do you perhaps use a browser extension that would interact with Mastodon?

[da5nsy]

Can you reliably reproduce this?

Yes.

If so, are you doing anything unusual?

I don't think so. I had the "uBlock Origin" add-on enabled, but disabling it doesn't change the behaviour.

Curiously, if I open a private browsing tab, and go to the same site I get a different but similar behaviour. Now the list shows the same posts (currently stopping after only 2 posts) but doesn't then deliver the error code.

[ClearlyClaire]

There being only two trending posts is not indicative of any error. There being only two trending posts is expected for a small server with little activity.

The only error is the 422 error, which is caused by an attempt to save settings for a logged-out user. However, I currently don't understand what could have triggered it.

[da5nsy]

I'm happy to clear my cache to see if that resolves it, but if that does resolve it then I assume that removes the possibility of us working out what the underlying issue is?

I tried logging out of any other logged in mastodon servers (there were 2) but that didn't change anything.

[ClearlyClaire]

So every time you visit https://typo.social/explore while logged out on your browser on Android, you get the 422 error? I wonder if the debugger could help us get some info there. Try opening the debugger and going to “Breakpoints” → “XHR Breakpoints” and add a breakpoint on /api/web/settings, but I'm afraid the stack trace will be unreadable because of the javascript minimization.

[da5nsy]

So every time you visit https://typo.social/explore while logged out on your browser on Android, you get the 422 error?

Correct.

Try opening the debugger and going to “Breakpoints” → “XHR Breakpoints” and add a breakpoint on /api/web/settings