Rstudio 2023.12.1-402 invalid CSRF form

Struggling to get auth working. On the hpc node this shows up in the syslog.

rserver[29190]: ERROR Failed to validate sign-in with invalid CSRF form; LOGGED FROM: bool rstudio::server::auth::common::validateSignIn(const rstudio::core::http::Request&, rstudio::core::http::Response*) src/cpp/server/auth/ServerAuthCommon.cpp:136

This is my view.html.erb

  var hostButton=$( "a.btn.btn-primary.btn-sm.fas.fa-terminal" );
  var hostname=hostButton.text();
  document.cookie = "csrf-token=<%= csrf_token %>; path=/rnode/<%= host %>/<%= port %>; secure";`
<form action="/rnode/<%= host %>/<%= port %>/auth-do-sign-in" method="post" target="_blank">
  <input type="hidden" name="username" value="<%= ENV["USER"] %>"/>
  <input type="hidden" name="password" value="<%= password %>"/>
  <input type="hidden" name="staySignedIn" value="1"/>
  <input type="hidden" name="appUri" value=""/>
  <input id="csrfToken" type="hidden" name="csrf-token" value="<%= csrf_token %>"/>
  <button class="btn btn-primary" type="submit">
    <i class="fab fa-r-project"></i> Connect to RStudio Server


  template: "basic"
    - csrf_token

# Export the module function if it exists
[[ $(type -t module) == "function" ]] && export -f module

# Find available port to run server on
port=$(find_port ${host})

# Define a password and export it for RStudio authentication
password="$(create_passwd 16)"
export RSTUDIO_PASSWORD="${password}"

# create CSRF token
  require 'securerandom'
export csrf_token="<%= csrftoken %>"

I do see the connection.yml file gets populated with the csrf token and password. I’ve tried copy and pasting in the password and I still can’t get through it. It will always show csrf invalid on the hpc node.

csrf_token: d27d4914-d045-4f72-a472-752a308156c9
port: 52195
password: YazTPS3NLq6pFbFv

Hello, and welcome!

I’ve been unable to reproduce this issue, and what I’ve found is that it’s probably pretty tied to specifics about how RStudio manages authentication and will require further investigation. I have found that you’re not the only one to have faced it and that there is a closed rstudio issue with the same error.

I am continuing to investigate this issue and will keep you updated on what I find.

Thanks, if this helps. We’re on Centos 7.9 OS and container with singularity/3.8.6.

In addition to this, even if I access the hpc node directly without going through the url rewrite. It still doesn’t take the password.

This is the

#!/usr/bin/env bash

# Load the required environment
setup_env () {
  # Additional environment which could be moved into a module
  # Change these to suit
  export RSTUDIO_SERVER_IMAGE="/gpfs/commons/home/lhuang/ondemand/dev/RStudio/rserver-launcher-centos7.simg"
  export SINGULARITY_BINDPATH="/etc,/media,/mnt,/opt,/srv,/usr,/var,/nfs/sw,/nfs/scratch"
  export PATH="$PATH:/nfs/sw/rstudio-server/rstudio-server-2023.12.1-402/usr/lib/rstudio-server/bin/"
  # In Singularity 3.5.x it became necessary to explicitly pass LD_LIBRARY_PATH
  # to the singularity process
  module load rstudio-server/2023.12.1-402
  module load singularity
  module load R/3.6.0

# Start RStudio Server

# PAM auth helper used by RStudio
export RSTUDIO_AUTH="/gpfs/commons/home/lhuang/ondemand/dev/Rstudio/template/bin/auth"

# Generate an `rsession` wrapper script
umask 077
sed 's/^ \{2\}//' > "${RSESSION_WRAPPER_FILE}" << EOL
  #!/usr/bin/env bash

  # Log all output from this script
  export RSESSION_LOG_FILE="${PWD}/rsession.log"

  exec &>>"\${RSESSION_LOG_FILE}"

  # Launch the original command
  echo "Launching rsession..."
  set -x
  exec rsession --r-libs-user "${R_LIBS_USER}" "\${@}"

# Set working directory to home directory
cd "${HOME}"

export TMPDIR="$(mktemp -d)"

mkdir -p "$TMPDIR/rstudio-server"
python -c 'from uuid import uuid4; print(uuid4())' > "$TMPDIR/rstudio-server/secure-cookie-key"
chmod 0600 "$TMPDIR/rstudio-server/secure-cookie-key"

set -x
# Launch the RStudio Server
echo "Starting up rserver..."

singularity run -B "$TMPDIR:/tmp" "$RSTUDIO_SERVER_IMAGE" \
 --www-port "${port}" \
 --auth-none 0 \
 --auth-pam-helper-path "${RSTUDIO_AUTH}" \
 --auth-encrypt-password 0 \
 --rsession-path "${RSESSION_WRAPPER_FILE}" \
 --server-data-dir "/nfs/scratch/$USER" \
 --database-config-file "/nfs/sw/rstudio-server/rstudio-server-2023.12.1-402/etc/rstudio/local.conf" \
 --server-user "$USER"

I’ve figured this out based on someone else solution. It was in the auth script. I had to change “ne” to “lt”

if [[ $# -ne 1 ]]; then

This is also because the step by step instructions is to clone from GitHub - OSC/bc_example_rstudio: An example OnDemand interactive RStudio app using Singularity
Which is slightly out of date hence why the difference in auth file.