Phabricator AphrontRequest / Save Error Fix

By David Walsh on May 2, 2017

Working on Phabricator extensions has thrust me back into the world of PHP, a language I had only touched via WordPress plugins and blog themes over the past few years. Despite being away from the language, I was able to jump back in fairly quickly and felt a small "back at home" comfort...until I realized Phabricator was not greatly documented and that I'd need to dive deep into the source code to figure out how to do just about every task.

One error that baffled me for a while was the following:

You are trying to save some data to Phabricator, but the request your browser made included an incorrect token. Reload the page and try again. You may need to clear your cookies.

I was trying to create and save a PhabricatorAuthTemporaryToken instance for the sake of allowing login via a third party service, and the request from that service to Phabricator was made in the background, so there was no PHCID because there was no session, thus the CSRF token was invalid. Essentially I needed a way to write to Phabricator without a CSRF validation (via PHCID) step. The solution was simple:

// Turn off CSRF check
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
// Save token
id(new PhabricatorAuthTemporaryToken())
  ->setTokenResource($transaction_code)
  // ...
  ->save();
// Turn CSRF check back on
unset($unguarded);

AphrontWriteGuard::beginScopedUnguardedWrites() allowed me to turn of the CSRF check, save the token, and then turn the CSRF check back on via unset. Short amount of code but took a long time to find!

I love that advanced libraries like Phabricator insist on these security checks without developers having to do so explicitly; I also love that turning off this check momentarily is easy. I'll be sure to share more PHP / Phabricator tips as I run into problems!

Recent Features

By David WalshFebruary 6, 2013

6 Things You Didn’t Know About Firefox OS

Firefox OS is all over the tech news and for good reason: Mozilla's finally given web developers the platform that they need to create apps the way they've been creating them for years -- with CSS, HTML, and JavaScript. Firefox OS has been rapidly improving...

By Andi DysartOctober 16, 2014

Responsive Images: The Ultimate Guide

Chances are that any Web designers using our Ghostlab browser testing app, which allows seamless testing across all devices simultaneously, will have worked with responsive design in some shape or form. And as today's websites and devices become ever more varied, a plethora of responsive images...

Incredible Demos

By David WalshJanuary 3, 2011

MooTools ASCII Art

I didn't realize that I truly was a nerd until I could admit to myself that ASCII art was better than the pieces Picasso, Monet, or Van Gogh could create. ASCII art is unmatched in its beauty, simplicity, and ... OK, well, I'm being ridiculous; ASCII...

By David WalshSeptember 8, 2009

Page Peel Effect Using MooTools

Soh Tanaka release a great script back in May titled Simple Page Peel Effect with jQuery & CSS. The idea is that you place a "peel" image on the upper-right side of an element which, when hovered, "peels" open and peels close.