search

jonaswinkler / paperless-ng

A supercharged version of paperless: scan, index and archive all your physical documents
https://paperless-ng.readthedocs.io/en/latest/
GNU General Public License v3.0
5.37k stars 356 forks source link

[BUG] Consumer status on dashboard returns 403 with AUTO_LOGIN_USERNAME #745

Open LorenzBischof opened 3 years ago

LorenzBischof commented 3 years ago

Describe the bug If I activate auto login with AUTO_LOGIN_USERNAME I receive a 403 error from /ws/status/ after uploading a document. The progress is not updated on the dashboard.

To Reproduce Steps to reproduce the behavior:

  1. Activate auto login
  2. Go to the dashboard
  3. Upload a document
  4. Open the developer console
  5. See error

Expected behavior The connection to /ws/status/ should not return an error and the progress should update on the dashboard.

Relevant information

jonaswinkler commented 3 years ago

Thanks. I've discovered that there are various other issues with that as well, namely any API operation that modifies resources (post, put, delete) won't work. These require csrf tokens to be passed around, which are not available with this option.

jonaswinkler commented 3 years ago

@lbischof Could you please confirm thet this works properly for you with the new version?

tauceti82 commented 3 years ago

@lbischof Could you please confirm thet this works properly for you with the new version?

I also get a CSRF token failed in 1.3.2 when using auto login and trying in the admin page to remove e.g. failed tasks or add a user... Can you please check this @jonaswinkler ? Thanks!

LorenzBischof commented 3 years ago

Sorry for not replying. Yes it seems to work correctly.

tauceti82 commented 3 years ago

But not for me in the admin settings as described above

bauerj commented 3 years ago

Thanks. I've discovered that there are various other issues with that as well, namely any API operation that modifies resources (post, put, delete) won't work. These require csrf tokens to be passed around, which are not available with this option.

I'm also seeing this issue when using the API to e.g. delete a document. I think this needs to be fixed before I can add such functionality to the app.

jonaswinkler commented 3 years ago

@bauerj Are you using basic or token authentication?

bauerj commented 3 years ago

I'm using Basic authentication. Would this be fixed if I switched to token authentication?

jonaswinkler commented 3 years ago

Need to check later.

bauerj commented 3 years ago

Nope, doesn't seem to work either 🙁

> curl -X DELETE https://paperless.example/api/documents/1 -H "Authorization: Token XY"

<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta name="robots" content="NONE,NOARCHIVE">
  <title>403 Forbidden</title>
  <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; color:#000; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    #info { background:#f6f6f6; }
    #info ul { margin: 0.5em 4em; }
    #info p, #summary p { padding-top:10px; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>
</head>
<body>
<div id="summary">
  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>

  <p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
  <p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for “same-origin” requests.</p>

</div>

<div id="explanation">
  <p><small>More information is available with DEBUG=True.</small></p>
</div>

</body>
</html>
bauerj commented 3 years ago

Since the app would be way more useful if this would work, this is a pretty high priority for paperless_app.

I would look into this myself but I guess the cause is hidden deep in the Django framework which I am unfamiliar with 😕

Any pointers on what I should look at?

qcasey commented 3 years ago

Hey all, hope you're well :)

After a quick search it looks like this is the cause of qcasey/paperless_share#7 too.

Posting for a token with PAPERLESS_AUTO_LOGIN_USERNAME set gives us a 403:

$ http POST http://192.168.1.17:8000/api/token/ username=casey password=REDACTED
HTTP/1.1 403 Forbidden
allow: POST, OPTIONS
content-language: en-us
content-length: 46
content-type: application/json
date: Thu, 05 Aug 2021 17:23:16 GMT
referrer-policy: same-origin
server: uvicorn
set-cookie: csrftoken=K3f2SO3GiSrPjpM5nNySKfZ76A2fbUjXwQoWZRbFb5G5lkpigpNqeH1XkSyTNqHF; expires=Thu, 04 Aug 2022 17:23:17 GMT; Max-Age=31449600; Path=/; SameSite=Lax
set-cookie: sessionid=tq4ss7tqzikznl1xk053wi5ci9i3hg0r; expires=Thu, 19 Aug 2021 17:23:17 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
vary: Cookie, Accept-Language, Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

{
    "detail": "CSRF Failed: CSRF cookie not set."
}

Similar error when posting a document, with or without basic auth:

HTTP/1.1 403 Forbidden
content-language: en-us
content-length: 1382
content-type: text/html
date: Thu, 05 Aug 2021 17:31:21 GMT
referrer-policy: same-origin
server: uvicorn
set-cookie: csrftoken=5OgTyn8tkZ2wh1PktrbwsFAOTBgNRGjO4zQfQV1gAfgiBbMSEtart3nwY1qawVVz; expires=Thu, 04 Aug 2022 17:31:22 GMT; Max-Age=31449600; Path=/; SameSite=Lax
set-cookie: sessionid=3poikybv9zultt8csgsacvkn40tssgh4; expires=Thu, 19 Aug 2021 17:31:22 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
vary: Cookie, Accept-Language, Origin
x-api-version: 2
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-version: 1.4.5

<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta name="robots" content="NONE,NOARCHIVE">
  <title>403 Forbidden</title>
  <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; color:#000; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    #info { background:#f6f6f6; }
    #info ul { margin: 0.5em 4em; }
    #info p, #summary p { padding-top:10px; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>
</head>
<body>
<div id="summary">
  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>

  <p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
  <p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for âsame-originâp>

</div>

<div id="explanation">
  <p><small>More information is available with DEBUG=True.</small></p>
</div>

</body>
</html>
bauerj commented 2 years ago

Okay, as it turns out this actually was a different issue.

curl -X DELETE https://paperless.example/api/document/1/ works whereas curl -X DELETE https://paperless.example/api/document/1 doesn't.

Sorry for the confusion! Everything works as expected now.