HTTP 400 When Using Nosurf and Appengine Blobstore

I am using the Appengine Blob store example and it works fine (I modified to take two files but that is not the issue). However, when I turn on nosurf it gives me a HTTP 400. I am passing in the csrf token to my form. The issue exists even if I just upload one file.

nosurf works just fine for other forms but only gives me trouble with blobstore file upload.

Since the code is large (it is the just the example with some minor tweaks), I have put it here: http://play.golang.org/p/SJADmn-WvJ (of course you cannot run it there as you need app-engine and nosurf)

Small parts of the code:

const rootTemplateHTML = `
<html><body>
<form action="{{.UpUrl}}" method="POST" enctype="multipart/form-data">
    Upload File: <input type="file" name="file1"><br>
    Upload File: <input type="file" name="file2"><br>
    <input type="hidden" name="csrf_token" value="{{ .Token }}">
    <input type="submit" name="submit" value="Submit">
</form>
</body></html>
`

This does not work:

    http.Handle("/", nosurf.New(http.HandlerFunc(handleRoot)))
    http.Handle("/upload", nosurf.New(http.HandlerFunc(handleUpload)))
    http.HandleFunc("/serve/", handleServe)

But this works (no 400 status):

    http.HandleFunc("/", handleRoot)
    http.HandleFunc("/serve/", handleServe)
    http.HandleFunc("/upload", handleUpload)

Is this something to do with nosurf or app-engine? Any suggestions on what I should do to fix this issue?

Thanks!

The blobstore upload URL works by actually posting your file upload to a special /_ah/... route on your app, which is not actually handled by your app but is used as a signal for the infrastructure to send the data over to the storage upload handler, which is an internal handler that does the actual put to storage.

The callback route you pass to the function that generated the upload URL is the route on your app which will receive a request once this is done that contains not the file data but the file metadata, such as the filenames, along with any other parameters passed to the request (such as, importantly, the CSRF token).

The token which you pass, however, was generated from a call to nosurf.Token(r), where r is the request the user's browser made to your app at the time the page was generated. When the storage upload handler sends the callback request to your /upload route, nosurf expects the client that sent the request to have a valid CSRF token generated for that client (the storage upload handler) and validates that request based on that expectation. Instead it receives the CSRF token that was generated for the page which you originally sent to the user, containing the form.