CSRF token is broken after update

API & Customization issues
1

Greetings,

I have updated from 4.62 to 4.8 and now I have a number of issues that appear related to the CSRF token. A sample log entry:

2024-06-13 17:27:35 error: [Cake\Http\Exception\InvalidCsrfTokenException] CSRF token from either the request body or request headers did not match or is missing. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 419
Request URL: /users/recover.json?api-version=v2
Referer URL: https://passwords.redacted.ca/auth/login?redirect=%2Fapp%2Fpasswords&locale=en-UK
Client IP: 10.10.255.175

Users logged in can continue to log in but email notifications are no longer sent. Users logging in from a new browser are unable to log in. They receive a message “Access to this service requires an invitation”. I cannot update settings.

I have read related issues and I have tried deleting cookies without success. Any help would be appreciated.

2

Hello @cyberfarer and welcome to the forum!

It seems that your most problematic issue here is about not receiving any emails, CSRF token should be another thing that is not related.

What do you mean exactly by “I cannot update settings”?

There is a guide to configure the email settings (I don’t know if you could use it however):

There is this guide as well for testing the SMTP settings:

Also, do you have any other errors in your logs?