search

data-govt-nz / ckanext-security

A CKAN extension to hold various security improvements for CKAN
GNU Affero General Public License v3.0
25 stars 32 forks source link

Each POST request results in a 403 response: "CSRF authentication failed. Token missing or invalid." #14

Closed DionKoolhaas closed 6 years ago

DionKoolhaas commented 6 years ago

We installed CKAN version 2.6.4 together with this ckanext-security plugin. We followed the instructions on the wiki and it seems like much of CKAN is working fine. However, every POST (login, change language etc) gives a 403 response with the message:

Access was denied to this resource. CSRF authentication failed. Token missing or invalid.

We cannot figure out what the cause is. We tested it with Firefox and IE. Anyone seen this message before and know the solution?

Request headers:

Accept: text/html,application/xhtml+xm…plication/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Connection: keep-alive Content-Length: 15 Content-Type: application/x-www-form-urlencoded Host: localhost:5000 Referer: http://localhost:5000/ Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linu…) Gecko/20100101 Firefox/59.0

Response Headers Content-Length: 210 Content-Type: text/html; charset=UTF-8 Date: Thu, 22 Mar 2018 14:10:39 GMT Server: PasteWSGIServer/0.5 Python/2.7.9 Set-Cookie: csrftoken=3f37fee27c3b34182a12…ost; Path=/; secure; HttpOnly Set-cookie: ckan_session=8b13a7a6e45e7f830…ost; httponly; Path=/; secure

Debug log 2018-03-22 15:48:54,490 INFO [ckan.lib.base] /api/i18n/en render time 0.007 seconds 2018-03-22 15:48:54,490 DEBUG [pylons.controllers.core] Calling Response object to return WSGI 2018-03-22 15:48:54,491 INFO [repoze.who] no challenge required 2018-03-22 15:48:54,491 INFO [repoze.who] -- repoze.who request ended (/api/i18n/en) -- 2018-03-22 15:49:06,967 DEBUG [paste.httpserver.ThreadPool] Added task (0 tasks queued) 2018-03-22 15:49:12,224 DEBUG [paste.httpserver.ThreadPool] Added task (0 tasks queued)

anotheredward commented 6 years ago

Hi @DionKoolhaas, thanks for posting your issue.

Can you please confirm if your using the 0.1.0 release of ckan-security or master?

We're currently looking in to a related issue: https://github.com/data-govt-nz/ckanext-security/issues/6

My understanding is that prior to this PR being merged : https://github.com/data-govt-nz/ckanext-security/pull/5/files The CSRF protection wasn't enabled.

Your best bet in the short term is probably going to be to disable the CSRF protection.

DionKoolhaas commented 6 years ago

Hello @anotheredward , thanks for your quick reply!

We followed the wiki and used 0.0.1 version instead of 0.1.0:

pip install --process-dependency-links -e 'https://github.com/data-govt-nz/ckanext-security.git#egg=ckanext-security==0.0.1'

Maybe the wiki needs an update regarding this? We now use 0.1.0 and disabled CSRF protection. Thank you so far:)

anotheredward commented 6 years ago

Hi @DionKoolhaas , excuse my ignorance, could you please give me a link to the wiki you found instructions in so we can update them?

DionKoolhaas commented 6 years ago

Hello @anotheredward, no problem. We used the README.md of this project (https://github.com/data-govt-nz/ckanext-security/blob/master/README.md#how-to-install)

anotheredward commented 6 years ago

We have a fix in the works for the CSRF issue, as a stop-gap I've updated the version in the readme pip install command to avoid this issue until the work is done: 79bd1f34b39cb28498a11063592f5ac7b42dfbd5

anotheredward commented 6 years ago

@DionKoolhaas A fix for the CSRF protection was just merged in to master. Would you be able to test it on your CKAN instance and see if it now works for you? Thanks :)