Rstudio 2023.12.1-402 invalid CSRF form

Struggling to get auth working. On the hpc node this shows up in the syslog.

rserver[29190]: ERROR Failed to validate sign-in with invalid CSRF form; LOGGED FROM: bool rstudio::server::auth::common::validateSignIn(const rstudio::core::http::Request&, rstudio::core::http::Response*) src/cpp/server/auth/ServerAuthCommon.cpp:136

This is my view.html.erb

<script>
  var hostButton=$( "a.btn.btn-primary.btn-sm.fas.fa-terminal" );
  var hostname=hostButton.text();
  hostButton.replaceWith(hostname);
  document.cookie = "csrf-token=<%= csrf_token %>; path=/rnode/<%= host %>/<%= port %>; secure";`
</script>
<form action="/rnode/<%= host %>/<%= port %>/auth-do-sign-in" method="post" target="_blank">
  <input type="hidden" name="username" value="<%= ENV["USER"] %>"/>
  <input type="hidden" name="password" value="<%= password %>"/>
  <input type="hidden" name="staySignedIn" value="1"/>
  <input type="hidden" name="appUri" value=""/>
  <input id="csrfToken" type="hidden" name="csrf-token" value="<%= csrf_token %>"/>
  <button class="btn btn-primary" type="submit">
    <i class="fab fa-r-project"></i> Connect to RStudio Server
  </button>
</form>

submit.yml

---
batch_connect:
  template: "basic"
  conn_params:
    - csrf_token 

before.sh.erb

# Export the module function if it exists
[[ $(type -t module) == "function" ]] && export -f module

# Find available port to run server on
port=$(find_port ${host})

# Define a password and export it for RStudio authentication
password="$(create_passwd 16)"
export RSTUDIO_PASSWORD="${password}"

# create CSRF token
<%-
  require 'securerandom'
  csrftoken=SecureRandom.uuid
-%>
export csrf_token="<%= csrftoken %>"

I do see the connection.yml file gets populated with the csrf token and password. I’ve tried copy and pasting in the password and I still can’t get through it. It will always show csrf invalid on the hpc node.

csrf_token: d27d4914-d045-4f72-a472-752a308156c9
host: devslurmvm01.nygenome.org
port: 52195
password: YazTPS3NLq6pFbFv

Hello, and welcome!

I’ve been unable to reproduce this issue, and what I’ve found is that it’s probably pretty tied to specifics about how RStudio manages authentication and will require further investigation. I have found that you’re not the only one to have faced it and that there is a closed rstudio issue with the same error.

I am continuing to investigate this issue and will keep you updated on what I find.

Thanks, if this helps. We’re on Centos 7.9 OS and container with singularity/3.8.6.

In addition to this, even if I access the hpc node directly without going through the url rewrite. It still doesn’t take the password.

This is the script.sh.erb

#!/usr/bin/env bash

# Load the required environment
setup_env () {
  # Additional environment which could be moved into a module
  # Change these to suit
  export RSTUDIO_SERVER_IMAGE="/gpfs/commons/home/lhuang/ondemand/dev/RStudio/rserver-launcher-centos7.simg"
  export SINGULARITY_BINDPATH="/etc,/media,/mnt,/opt,/srv,/usr,/var,/nfs/sw,/nfs/scratch"
  export PATH="$PATH:/nfs/sw/rstudio-server/rstudio-server-2023.12.1-402/usr/lib/rstudio-server/bin/"
  export SINGULARITYENV_PATH="$PATH"
  # In Singularity 3.5.x it became necessary to explicitly pass LD_LIBRARY_PATH
  # to the singularity process
  export SINGULARITYENV_LD_LIBRARY_PATH="$LD_LIBRARY_PATH"
  module load rstudio-server/2023.12.1-402
  module load singularity
  module load R/3.6.0
}
setup_env

#
# Start RStudio Server
#

# PAM auth helper used by RStudio
export RSTUDIO_AUTH="/gpfs/commons/home/lhuang/ondemand/dev/Rstudio/template/bin/auth"

# Generate an `rsession` wrapper script
export RSESSION_WRAPPER_FILE="${PWD}/rsession.sh"
(
umask 077
sed 's/^ \{2\}//' > "${RSESSION_WRAPPER_FILE}" << EOL
  #!/usr/bin/env bash

  # Log all output from this script
  export RSESSION_LOG_FILE="${PWD}/rsession.log"

  exec &>>"\${RSESSION_LOG_FILE}"

  # Launch the original command
  echo "Launching rsession..."
  set -x
  exec rsession --r-libs-user "${R_LIBS_USER}" "\${@}"
EOL
)
chmod 700 "${RSESSION_WRAPPER_FILE}"

# Set working directory to home directory
cd "${HOME}"

export TMPDIR="$(mktemp -d)"

mkdir -p "$TMPDIR/rstudio-server"
python -c 'from uuid import uuid4; print(uuid4())' > "$TMPDIR/rstudio-server/secure-cookie-key"
chmod 0600 "$TMPDIR/rstudio-server/secure-cookie-key"

set -x
# Launch the RStudio Server
echo "Starting up rserver..."


singularity run -B "$TMPDIR:/tmp" "$RSTUDIO_SERVER_IMAGE" \
 --www-port "${port}" \
 --auth-none 0 \
 --auth-pam-helper-path "${RSTUDIO_AUTH}" \
 --auth-encrypt-password 0 \
 --rsession-path "${RSESSION_WRAPPER_FILE}" \
 --server-data-dir "/nfs/scratch/$USER" \
 --database-config-file "/nfs/sw/rstudio-server/rstudio-server-2023.12.1-402/etc/rstudio/local.conf" \
 --server-user "$USER"

I’ve figured this out based on someone else solution. It was in the auth script. I had to change “ne” to “lt”

if [[ $# -ne 1 ]]; then

This is also because the step by step instructions is to clone from GitHub - OSC/bc_example_rstudio: An example OnDemand interactive RStudio app using Singularity
Which is slightly out of date hence why the difference in auth file.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.