search

etesync / etesync-web

An EteSync web client
https://www.etesync.com
GNU Affero General Public License v3.0
245 stars 29 forks source link

Missing X-CSRFToken? #208

Closed cheako closed 3 years ago

cheako commented 3 years ago

https://stackoverflow.com/a/26639895/1153319

I looked at the browser and there is no signs of this attempting/ed to be set. I did not check nginx as what I'd want to be looking at would be encrypted. Is there some configuration, like AUTHENTICATION_CLASSES if so where does it go?

I'll format the request so it's readable, the others look fine if u squint.

accept4(7, {sa_family=AF_INET, sin_port=htons(55888), sin_addr=inet_addr("172.17.0.1")}, [16], SOCK_NONBLOCK) = 10
epoll_ctl(6, EPOLL_CTL_ADD, 10, {EPOLLIN, {u32=10, u64=10}}) = 0
epoll_wait(6, [{EPOLLIN, {u32=10, u64=10}}], 64, 60000) = 1
read(10, "POST /api/v1/authentication/login_challenge/ HTTP/1.1\r\nConnection: keep-alive\r\nHost: 172.17.0.3:8080\r\nContent-Length: 17\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nAccept: application/msgpack\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36\r\nContent-Type: application/msgpack\r\nOrigin: https://notes.mikemestnik.net\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: csrftoken=Akdb; sessionid=m0uy\r\n\r\n\201\250username\246cheako", 4096) = 677
socket(AF_INET, SOCK_STREAM|SOCK_NONBLOCK, IPPROTO_IP) = 11
connect(11, {sa_family=AF_INET, sin_port=htons(35861), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
epoll_ctl(6, EPOLL_CTL_DEL, 10, 0x7fffefc01264) = 0
epoll_ctl(6, EPOLL_CTL_ADD, 11, {EPOLLOUT, {u32=11, u64=11}}) = 0
epoll_wait(6, [{EPOLLOUT, {u32=11, u64=11}}], 64, 60000) = 1
getsockopt(11, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
write(11, "\0\305\3\0\16\0REQUEST_METHOD\4\0POST\v\0REQUEST_URI'\0/api/v1/authentication/login_challenge/\t\0PATH_INFO'\0/api/v1/authentication/login_challenge/\f\0QUERY_STRING\0\0\17\0SERVER_PROTOCOL\10\0HTTP/1.1\v\0SCRIPT_NAME\0\0\v\0SERVER_NAME\f\0bd1253328b1c\v\0SERVER_PORT\4\08080\f\0UWSGI_ROUTER\4\0http\v\0REMOTE_ADDR\n\000172.17.0.1\v\0REMOTE_PORT\5\00020698\17\0HTTP_CONNECTION\n\0keep-alive\t\0HTTP_HOST\17\000172.17.0.3:8080\16\0CONTENT_LENGTH\2\00017\v\0HTTP_PRAGMA\10\0no-cache\22\0HTTP_CACHE_CONTROL\10\0no-cache\v\0HTTP_ACCEPT\23\0application/msgpack\17\0HTTP_USER_AGENTi\0Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36\f\0CONTENT_TYPE\23\0application/msgpack\v\0HTTP_ORIGIN\35\0https://notes.mikemestnik.net\23\0HTTP_SEC_FETCH_SITE\v\0same-origin\23\0HTTP_SEC_FETCH_MODE\4\0cors\23\0HTTP_SEC_FETCH_DEST\5\0empty\24\0HTTP_ACCEPT_ENCODING\21\0gzip, deflate, br\24\0HTTP_ACCEPT_LANGUAGE\16\0en-US,en;q=0.9\v\0HTTP_COOKIEv\0csrftoken=AkNdb; sessionid=m0uuky\201\250username\246cheako", 986) = 986
epoll_ctl(6, EPOLL_CTL_ADD, 10, {EPOLLIN, {u32=10, u64=10}}) = 0
epoll_ctl(6, EPOLL_CTL_MOD, 11, {EPOLLIN, {u32=11, u64=11}}) = 0
epoll_wait(6, [{EPOLLIN, {u32=11, u64=11}}], 64, 60000) = 1
read(11, "HTTP/1.1 403 Forbidden\r\nContent-Type: application/msgpack\r\nVary: Accept, Origin, Cookie\r\nAllow: POST\r\nX-Frame-Options: DENY\r\nContent-Length: 55\r\nAccess-Control-Allow-Origin: *\r\nX-Content-Type-Options: nosniff\r\nReferrer-Policy: same-origin\r\n\r\n\201\246detail\331-CSRF Failed: CSRF token missing or incorrect.", 4096) = 297
epoll_ctl(6, EPOLL_CTL_MOD, 10, {EPOLLOUT, {u32=10, u64=10}}) = 0
epoll_ctl(6, EPOLL_CTL_DEL, 11, 0x7fffefc01264) = 0
epoll_wait(6, [{EPOLLOUT, {u32=10, u64=10}}], 64, 60000) = 1
write(10, "HTTP/1.1 403 Forbidden\r\nContent-Type: application/msgpack\r\nVary: Accept, Origin, Cookie\r\nAllow: POST\r\nX-Frame-Options: DENY\r\nContent-Length: 55\r\nAccess-Control-Allow-Origin: *\r\nX-Content-Type-Options: nosniff\r\nReferrer-Policy: same-origin\r\n\r\n\201\246detail\331-CSRF Failed: CSRF token missing or incorrect.", 297) = 297

Request

POST /api/v1/authentication/login_challenge/ HTTP/1.1
Connection: keep-alive
Host: 172.17.0.3:8080
Content-Length: 17
Pragma: no-cache
Cache-Control: no-cache
Accept: application/msgpack
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Content-Type: application/msgpack
Origin: https://notes.mikemestnik.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: csrftoken=AkTyD9nTbQxQeIfe2wFOfeGteslFsBNdb; sessionid=m0ucvkz1s0rph6uky

��username�cheako
tasn commented 3 years ago

Are you actually experiencing an issue? A CSRF token shouldn't be set for this domain... This is again an issue because you are hosting multiple applications under the same domain. :)

cheako commented 3 years ago

That appears to be the case, odd that this is how the Docker I'm using was setup back in December 2020.