_csrf view local is not defined inside of partials when using CSRF protection

[ghost]

Sails version: 0.11.4
Node version: 5.4.1
NPM version: 3.5.2
Operating system: Ubuntu 14.04

---

Unfortunately the only thing I have is this call stack:

Sending 500 ("Server Error") response: 
 ReferenceError: /usr/home/my_user/domains/my_domain/public_nodejs/views/blog/home.ejs:91
    89|   </div>
    90|   <!-- /.home-content -->
 >> 91|   <%- partial('sidebar.ejs') %>
    92| </div>
    93| 

/usr/home/my_user/domains/my_domain/public_nodejs/views/blog/sidebar.ejs:27
    25|           </ul>
    26|         </div>
 >> 27|         <input type="hidden" name="_csrf" value="<%= _csrf %>" />
    28|       </form>
    29|     </div>
    30|   </div>

_csrf is not defined
    at eval (eval at <anonymous> (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:1:0), <anonymous>:30:1303)
    at eval (eval at <anonymous> (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:1:0), <anonymous>:30:3616)
    at /usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:250:15
    at Object.exports.render (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:288:13)
    at render (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/ejs-locals/index.js:334:20)
    at Object.partial (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/ejs-locals/index.js:376:12)
    at eval (eval at <anonymous> (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:1:0), <anonymous>:30:4790)
    at eval (eval at <anonymous> (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:1:0), <anonymous>:30:4833)
    at /usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:250:15
    at Object.exports.render (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:288:13)
    at Object.exports.renderFile (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/ejs/lib/ejs.js:318:20)
    at module.exports [as engine] (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/ejs-locals/index.js:85:7)
    at View.render (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/express/lib/view.js:76:8)
    at Function.app.render (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/express/lib/application.js:561:10)
    at ServerResponse.res.render (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/express/lib/response.js:845:7)
    at ServerResponse.res.view (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/lib/hooks/views/res.view.js:237:16)
    at /usr/home/my_user/domains/my_domain/public_nodejs/api/controllers/BlogController.js:28:11
    at /usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/async/lib/async.js:589:17
    at done (/usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/async/lib/async.js:132:19)
    at /usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/async/lib/async.js:32:16
    at /usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/async/lib/async.js:586:21
    at /usr/home/my_user/domains/my_domain/public_nodejs/node_modules/sails/node_modules/async/lib/async.js:251:17 { [ReferenceError: /usr/home/my_user/domains/my_domain/public_nodejs/views/blog/home.ejs:91
    89|   </div>
    90|   <!-- /.home-content -->
 >> 91|   <%- partial('sidebar.ejs') %>
    92| </div>
    93| 

/usr/home/my_user/domains/my_domain/public_nodejs/views/blog/sidebar.ejs:27
    25|           </ul>
    26|         </div>
 >> 27|         <input type="hidden" name="_csrf" value="<%= _csrf %>" />
    28|       </form>
    29|     </div>
    30|   </div>

_csrf is not defined]
  path: '/usr/home/my_user/domains/my_domain/public_nodejs/views/blog/home.ejs' }

It's the first time I see this error. It has never shown up during development. Maybe it's related to partial, since this is the only time I'm using partials in my view. Of course I have CSRF protection enabled in config.

[mikermcneil]

@selenir Thanks for the report. I took a quick look around and I think this is due to an inconsistency coming from an old dependency: ejs-locals. It's about time to dig into that layout/partials stuff for some updates anyways, and right now I'm also in the process of working on a friendlier "bootstrap-data-for-access-from-client-side-js" helper, so the timing is right to go ahead and figure this out once and for all (and probably fix it there, then fold that code into the core views hook).

If you have a moment, would you make a quick GitHub repo that reproduces this in the simplest possible app using v0.12.x of Sails? That'll save me some time while debugging, and also rule out any version-specific issues (If it turns out this has already been fixed in 0.12, it's no problem to backport a fix as a patch release for 0.11.x-- and I'd rather know that now before I go in there and fold in the dependency).

Thanks!

[ghost]

I think I'm not able to reproduce this bug. In 99% cases it works fine. The call stack is from home page of my Sails app, which is rendered ~10k times per day and the bug showed only few times. I will try to log more data on this route, maybe something will show up.

[sgress454]

In 99% cases it works fine.

Yeah, that's...really weird. It'd be worth hiding a <%= _csrf %> somewhere directly in home.ejs just to see if the problem is that the token itself is not getting set sometimes. That would also be weird, but slightly less so.

[not-an-aardvark]

I'm encountering this too; it might be related to #2566.

[mikermcneil]

@selenir thanks for the additional info! Keep us posted if you're able to reproduce this-- I'll leave the issue open.

@not-an-aardvark Hmm, are you seeing it only w/ partials as well? If not, it seems less likely that it's res.forbidden() per se-- more like the conditions under which res.forbidden gets called. Sounds like it might be that the user doesn't have a session for some reason, or that the csrf hook can't access it. I wonder if that's a separate issue due to sessions expiring? Re your commit in your project where you referenced #2566 (that adds the typeof check), I think that's a good idea in general. I find it's often useful to be able to disable CSRF protection in dev anyways (i.e. if you're hitting your endpoints with a REST client like Postman-- although, at least with Postman, you can take advantage of environments now, so that's less of a big deal)

[not-an-aardvark]

Hmm, are you seeing it only w/ partials as well?

Nope, the place where I was having an issue wasn't in a partial, it was in the main layout.ejs file.

Unfortunately, I don't have a reproducible test-case for it. I only noticed the issue in porybox/porybox@b12aa8c because I saw errors in the server logs about _csrf not being defined.

Thanks for looking into this!

[bonanzakrak]

I created another case (#3865), but after reading this case, I think it may be connected.

This error occurs when you request HEAD for page.

[sgress454]

See answer in #3865, since it might explain the intermittent issue seen in this post.

[sgress454]

Ok, since there's been no further chatter on this I'm assuming it's related to #3865.