Incompatible with CSRF_USE_SESSIONS = True

Stormbase / django-otp-webauthn

Passkey support for Django. Currently in early stages of development and not ready for production use!

BSD 3-Clause "New" or "Revised" License

10 stars 2 forks source link

Incompatible with CSRF_USE_SESSIONS = True #14

Closed nijel closed 1 month ago

nijel commented 1 month ago

The client code fetches CSRF token from the cookie, but this is not available with CSRF_USE_SESSIONS = True. We ended up using that as the outcome of some security audits. I don't think it's more secure and Django documentation agrees, but storing CSRF token in a cookie is a red flag for some audits.

Would it be possible to let it extract it from the HTML page in this case?

We make sure that the input is always present (<input type="hidden" name="csrfmiddlewaretoken" value="...">).

Stormheg commented 1 month ago

Thanks for the report!

Originally, my proof of concept retrieved the CSRF token from a hidden input. If I recall my reasoning correctly, I changed that to retrieve from a cookie instead under the assumption that is always available and a hidden input might not be. Turns out that is a wrong assumption.

Would you be up to opening a pull request? The JS that goes looking for the CSRF token lives here: https://github.com/Stormbase/django-otp-webauthn/blob/6c25bc40220b5d705de43753745cd71bba2a34a9/client/src/utils.ts#L23

Falling back to looking for an input on the page sounds like it would do the job.

nijel commented 1 month ago

Sorry, if it would be in Python, I'd do it, but typescript is out of my abilities.