search

Parisson / TimeSide

scalable audio processing framework and server written in Python
https://timeside.ircam.fr/docs/
GNU Affero General Public License v3.0
368 stars 60 forks source link

[API] CSRF Failed: Referer checking failed - Referer is insecure while host is secure #187

Closed gnuletik closed 4 years ago

gnuletik commented 4 years ago

When trying to make an HTTP POST request, I get the following error from Django: CSRF Failed: Referer checking failed - Referer is insecure while host is secure

This error seems to be generated by Django's CSRF check which rejects requests where the Referer HTTP header is not on one of Django's HTTP configured domains.

I tried to send this request with JWT authentication

curl
  -X POST
  -H 'Authorization: Bearer XXX'
  -H 'Content-Type: application/json'
  -d '{"analysis": "https://sandbox.wasabi.telemeta.org/timeside/api/analysis/a2f004da-1966-4734-b263-baddcefaa824/", "item": "https://sandbox.wasabi.telemeta.org/timeside/api/items/f819b56c-e4c4-4762-83ac-77eb81084268/"}'
  'https://sandbox.wasabi.telemeta.org/timeside/api/analysis_tracks/'

And it worked without any issue.

Droping Django's CSRF check would raise a security issue.

As the current authentication mechanism (cookie + CSRF) is raising this issue and https://github.com/Parisson/TimeSide/issues/165. I guess that we the simplest solution is to switch to JWT.

Tointoin commented 4 years ago

Droping Django's CSRF check would raise a security issue.

As the current authentication mechanism (cookie + CSRF) is raising this issue and #165. I guess that we the simplest solution is to switch to JWT.

I don't really understand your point:

gnuletik commented 4 years ago

Hi @Tointoin,

I meant to switch to JWT for the applications on another domain like the player (sorry for the imprecision). We can (and should) keep the cokkie + csrf auth for the django app / admin.

I've started implementing the JWT auth on the player. Hopefully I'll be able to release it today :)

Tointoin commented 4 years ago

We can (and should) keep the cokkie + csrf auth for the django app / admin.

Yep I've been thinking about that too. Simplest is indeed to keep both.

gnuletik commented 4 years ago

Hi @Tointoin, The JWT authentication is now implemented on the player. I'm closing the issue as we can keep both authenticating mode on the API.

Thanks!