Bug with CSRF Token with HMAC

[yazalulloa]

Hi, I'm trying to build a web application with HTMX, simple js library to use AJAX requests, for POST, DELETE and PUT I understand I need to pass the CSRF token either as form param or as a header, I'm finding that after I refresh the page the CSRF token that gets injected in the HTML is the previous cookie token, every HTTP request except for GET fails. This only happens if I have the property quarkus.csrf-reactive.token-signature-key.

Is there some missing configuration I don't have or is it a bug?

Here is the code
https://github.com/yazalulloa/quarkus-csrf-signature-bug

First load:

Second load:

[sberyozkin]

@yazalulloa thanks for the investigation,

I'm finding that after I refresh the page the CSRF token that gets injected in the HTML is the previous cookie token, every HTTP request except for GET fails. This only happens if I have the property quarkus.csrf-reactive.token-signature-key.

It is a bug, when the signature is required, the cookie value is a signed csrf token, so, after the refresh, if it is returned as a CSRF token (which is fine without the signature), then it fails because when later the the csrf token is verified again, it fails because the already signed value is now double signed and therefore fails to match the cookie value.

Please move this discussion to the issue as a bug, thanks

[yazalulloa]

Done #36848