Avoid race condition expiration of csrf-token in SPA

[ivan-suhorukov]

Hello! I'm having a production issue with csrf token.

I have an SPA-application based on adonisjs and i use adonisjs/shield csrf protection. Somehow my production app logs many of "crsf-expired" messages everyday. Like that:

{"level":40,"time":"2025-01-21T13:21:02.274Z","pid":3985595,"hostname":"***","name":"***","request_id":"gn5fewn9hmwie6tjdahb5uck","x-request-id":"gn5fewn9hmwie6tjdahb5uck","msg":"Invalid or expired CSRF token"}

I suppose, some requests from frontend app has been blocked by csrf protection. I cannot reproduct this error on dev-environment, nor on production by myself. And i suppose this is race-condition error on frontend. Some simultanious requests share the same csrf-token and one of it fails.

Can it be true? And if it is, can we constrain requests, that updates xsrf-token, so api-requests, like /api/* does not refresh it?

Maybe by accept filter function in enableXsrfCookie? Something like this:

csrf: {
    enableXsrfCookie: function(url: string) {
      return !url.startsWith('/api/')
   },
}

Thanks!