Unable to obtain csrf token for login unless user has navigated to an Arches page first

archesproject / arches-lingo

Arches Reference Data Manager Application

GNU Affero General Public License v3.0

0 stars 0 forks source link

Unable to obtain csrf token for login unless user has navigated to an Arches page first #59

Closed chrabyrd closed 2 months ago

chrabyrd commented 2 months ago

To reproduce:

Open a browser different from your main development browser
Open an incognito window
navigate to app root ( eg localhost:8000 )
attempt to login
notice csrf token failure toast
navigate to any other part of arches
navigate back to root
notice user can login

jacobtylerwalls commented 2 months ago

Thanks. We also need to look into namespacing the CSRF tokens. They shouldn't just be csrftoken for every arches project/app (?)

jacobtylerwalls commented 2 months ago

I can't reproduce with the provided steps, but I can get at step 5 a different error that suggests the session cookie isn't being set. (EDIT: looks like I was too aggressive with setting SESSION_COOKIE_SECURE = True in archesproject/arches#11261, will PR)

jacobtylerwalls commented 2 months ago

I can't seem to reproduce because even in a fresh browser/incognito window, loading the page always fetches this django view and returns the cookie:

https://github.com/archesproject/arches-lingo/blob/fd598807fc350722dafe32a78535eb48813669d7/arches_lingo/views.py#L204

chrabyrd commented 2 months ago

Huh, yeah I'm also unable to repro branch #56 . Not saying that that's the thing that fixed it, but yeah since it doesn't seem repro-able any more happy to close 👍