Local JATOS installation, cannot download *any* results due to CSRF restrictions
I'm running local JATOS under virtual linux (Win10 / Ubuntu 18.04 LTS), accessing the local server via http://127.0.0.1:9000 (built-in admin as the only user). This setup has been working fine for some time. Now, following JATOS 3.9.3 => 3.9.6 upgrade (via admin interface) I cannot download any results, the txt/zip/jatos experiment files end up with one-liner text content
You're not allowed to access this resource.
even though JATOS GUI shows notification that the file was downloaded successfully. Looking at JATOS application log, there's a reference to CSRF token which seems to refer to some cross-site scripting security feature:
2025-07-08 11:40:42,964 [INFO] - g.ErrorHandler - forbidden: No CSRF token found for application/json body 2025-07-08 11:40:42,964 [WARN] - p.f.CSRF - [CSRF] Check failed because application/json for request /jatos/api/v1/results/data?asPlainText=true&isApiCall=false 2025-07-08 11:40:33,792 [INFO] - gui_access - GET /jatos/componentResults/tableData?componentId=115&_=1751964033695 (admin) 2025-07-08 11:40:33,627 [INFO] - gui_access - GET /jatos/57/115/results (admin) 2025-07-08 11:40:32,104 [INFO] - gui_access - GET /jatos/57/componentsTableData?_=1751964032023 (admin)
I'm assuming this is related to JATOS 3.9.3 CSRF vulnerability https://nvd.nist.gov/vuln/detail/CVE-2024-51382 . I already tried out creating a new user (instead of admin) and using that to download the results file, but end up with the same broken results file output. Spending some time in JATOS github repo (with CSRF search terms) I ended up with a workaround of adding these to jatos.conf effectively removing these CSRF features completely (I would assume) but I feel it's a bit hacky..
play.filters {
enabled -= play.filters.csrf.CSRFFilter
}
Should this be documented somewhere more clearly? I'm fine with this workaround, but somehow feel it should be default config for new users.
Comments
That's is strange. It looks like the CSRF token isn't send with the request. I just tried it out, just to be sure, with a new installation on Ubuntu 22.04 and the result download worked without problems. I don't think your issue has something to do with your Ubuntu being older or that it is a virtual one running on Win10.
I have some questions:
Best,
K.
Yep, this seemed weird indeed. Following Windows 10 restart due to upgrades I reverted back to "default" jatos.conf (no play.filters section) and cannot reproduce the download issue anymore with the same virtual Ubuntu 18.04 (I was using Chrome at that time if it matters). During the issues the jatos.conf on the testing machine was plain default, no modifications whatsoever, only application.conf included and rest of the file was commented out.
This might indeed have something to do with browser cache/cookies. If I recall correctly, prior to doing the JATOS 3.9.3=>3.9.6 upgrade the JATOS experiment admin interface had some UI issues, it wasn't showing any component results listed in table format for one specific component ("select all" upgraded the count in the bottom of the page but didn't eventually download anything). I cleared the browser cache only to localhost at that time, it helped with this visibility issue, but I probably didn't do this cleanly enough (i.e. localhost JATOS page was open during that time when I cleared the cookies and it helped practically instantly).
All in all, it seems it was a temporary glitch, fortunately.
Nice you could solve it!