search

cvisionai / tator

Video analytics web platform
https://tator.io
GNU Affero General Public License v3.0
98 stars 32 forks source link

CSRF issue on login (rc/1.3.0) #1708

Closed sbatchelder closed 4 weeks ago

sbatchelder commented 4 weeks ago

Saw that VAST Support was added to rc/1.3.0 yesterday (6ee01bb) Decided to try it out, and it seems to work/connect to out VAST backend properly, great.

However, if I log out of my user account, I can no longer log back in. After submitting user credentials I get hit with a Forbidden 403 CSRF verification failed. Request aborted error.

Is this reproducible on your end?

image

jrtcppv commented 4 weeks ago

Hi @sbatchelder , I just tried this on my compose deployment and was not able to reproduce. I tried deleting the csrftoken cookie while on the login page, and after reloading it was set again. Do you see the same behavior?

sbatchelder commented 4 weeks ago

Partially. On the login page I delete the csrftoken cookie, i reload the page, cookie is generated, I go to login, and I get the CSRF verification 403 error again (even though the csrftoken is still there).

jrtcppv commented 4 weeks ago

I was going through our changelog for 1.3.0 and came across this:

https://github.com/cvisionai/tator/pull/1608

I think with a proxied config we might need to shim something into that setting via an environment variable.

sbatchelder commented 4 weeks ago

Adding our specific site url to CSRF_TRUSTED_ORIGINS in settings.py did the trick! Thanks Jon!!