I'm doing some simple login validation on my Play! 2.6 framework web app, and it seems to not pick up the CSRF token that I include on the view.loginForm
:
@import helper.CSRF
@(loginform: Form[UserLoginData])(implicit messages: MessagesProvider, request: RequestHeader)
@main() {
<div class="row">
<form method="post" class="col-md-6" id="loginform" autocomplete="on">
@CSRF.formField
<input type="text id="userName">
<!-- other inputs and submit button-->
</form>
</div>
}
and then my conf.routes handles the POST'ing by:
POST /login controllers.LoginRegController.attemptLogin
And here's the method in the LoginRegController
:
def attemptLogin() = Action {
implicit request: Request[AnyContent] => {
loginform.bindFromRequest().fold(
formWithErrors => BadRequest(views.html.login(formWithErrors)),
successfulForm => {
// check DB for valid inputs
val userName = //retrieved from form
Ok(views.html.afterLogin.dashboardviews.dashboard())
.withSession(request.session + ("authenticated" -> "true") + ("username" -> userName))
.withHeaders(SecurityHeadersFilter
.CONTENT_SECURITY_POLICY_HEADER -> " .fonts.googleapis.com ")
}
)
}
}
As soon as the user hits submit, it gets taken to the framework's default Authorized page, and I see on my console that it has failed the CSRF check:
[warn] p.filters.CSRF - [CSRF] Check failed because no token found in headers
I'm thinking that there's a similar problem as mentioned in this answer here in that the session is being refreshed, but I would think it would have the token in the request itself, pass the test, and then load up a new session. Any ideas how to fix, or how to grab the token and "insert" it where necessary here in the Controller method?