csrf queue new build error

[MeGaPk]

When I tried to use this code:

       body = Build(
            build_type_id=self._tc_build_configuration_id,
            branch_name=branch_name,
        )
        print(self._tc.build_queues.queue_new_build(body=body, move_to_top=True))

I got error:

   File "C:\Users\megap\PycharmProjects\Jira2TeamCity\venv\lib\site-packages\dohq_teamcity\api_client.py", line 373, in request
    body=body)
  File "C:\Users\megap\PycharmProjects\Jira2TeamCity\venv\lib\site-packages\dohq_teamcity\rest.py", line 281, in POST
    body=body)
  File "C:\Users\megap\PycharmProjects\Jira2TeamCity\venv\lib\site-packages\dohq_teamcity\rest.py", line 232, in request
    raise ApiException(http_resp=r)
dohq_teamcity.rest.ApiException: (403)
Reason: 
HTTP response headers: HTTPHeaderDict({'TeamCity-Node-Id': 'MAIN_SERVER', 'Content-Type': 'text/plain;charset=UTF-8', 'Content-Length': '358', 'Date': 'Sun, 10 May 2020 15:07:48 GMT'})
HTTP response body: 403 Forbidden: Responding with 403 status code due to failed CSRF check: authenticated POST request is made, but neither tc-csrf-token parameter nor X-TC-CSRF-Token header are provided.. For a temporary workaround, you can set internal property teamcity.csrf.paranoid=false  and provide valid Origin=http://asdasdasd header with your request

[xSageDan]

Same issue here. Tried to solve this by updating init of TeamCity object to get the X-TC-CSRF-Token via https://xxxxx/authenticationTest.html?csrf and then passing it as a header({'X-TC-CSRF-Token' : 'xxxxx'}, but for some reason it says the token I got is different from the session token. Any suggestions on how to continue from here?

[YuryPichuzhkin]

Same issue here. Tried to solve this by updating init of TeamCity object to get the X-TC-CSRF-Token via https://xxxxx/authenticationTest.html?csrf and then passing it as a header({'X-TC-CSRF-Token' : 'xxxxx'}, but for some reason it says the token I got is different from the session token. Any suggestions on how to continue from here?

Hi!

Try it:

tc = dohq_teamcity.TeamCity(TC_URL, auth=(options.tc_login, options.tc_password))
tc.call_api(resource_path="/httpAuth/app/rest/server", method="GET")
csrfToken = tc.request("GET", url=TC_URL + "/authenticationTest.html?csrf").data
tc.set_default_header(header_name='X-TC-CSRF-Token', header_value=csrfToken)

[istvans]

Same issue here. Tried to solve this by updating init of TeamCity object to get the X-TC-CSRF-Token via https://xxxxx/authenticationTest.html?csrf and then passing it as a header({'X-TC-CSRF-Token' : 'xxxxx'}, but for some reason it says the token I got is different from the session token. Any suggestions on how to continue from here?

Hi!

Try it:

tc = dohq_teamcity.TeamCity(TC_URL, auth=(options.tc_login, options.tc_password))
tc.call_api(resource_path="/httpAuth/app/rest/server", method="GET")
csrfToken = tc.request("GET", url=TC_URL + "/authenticationTest.html?csrf").data
tc.set_default_header(header_name='X-TC-CSRF-Token', header_value=csrfToken)

I had the same 403 status code with TC 2022.04 when I was just trying to set a parameter on a project. Read-only operations worked fine, but I ran into this problem every time I tried to change something in the configuration. This is inline with the TeamCity documentation:

1. If an HTTP request is a non-modifying one (such as GET), it is considered safe.
2. If an HTTP request has a secure CSRF token either in the parameter or in the HTTP header and this token matches the one stored in user session, it is considered safe.

This suggestion worked fine, but (probably obviously) only when I was logged in with my password and not with an access token.

As suggested in https://github.com/devopshq/teamcity/issues/37 (which seems to be a duplicate of this issue) I think the library should handle this with some options at least.

The official TeamCity documentation suggests token based authentication for non-browser HTTP clients: https://www.jetbrains.com/help/teamcity/csrf-protection.html#Implications+for+non-browser+HTTP+clients

I have the same problem even if I authenticate using a token.