Open LorenzBischof opened 3 years ago
Thanks. I've discovered that there are various other issues with that as well, namely any API operation that modifies resources (post, put, delete) won't work. These require csrf tokens to be passed around, which are not available with this option.
@lbischof Could you please confirm thet this works properly for you with the new version?
@lbischof Could you please confirm thet this works properly for you with the new version?
I also get a CSRF token failed in 1.3.2 when using auto login and trying in the admin page to remove e.g. failed tasks or add a user... Can you please check this @jonaswinkler ? Thanks!
Sorry for not replying. Yes it seems to work correctly.
But not for me in the admin settings as described above
Thanks. I've discovered that there are various other issues with that as well, namely any API operation that modifies resources (post, put, delete) won't work. These require csrf tokens to be passed around, which are not available with this option.
I'm also seeing this issue when using the API to e.g. delete a document. I think this needs to be fixed before I can add such functionality to the app.
@bauerj Are you using basic or token authentication?
I'm using Basic authentication. Would this be fixed if I switched to token authentication?
Need to check later.
Nope, doesn't seem to work either 🙁
> curl -X DELETE https://paperless.example/api/documents/1 -H "Authorization: Token XY"
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="robots" content="NONE,NOARCHIVE">
<title>403 Forbidden</title>
<style type="text/css">
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; background:#eee; color:#000; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; margin-bottom:.4em; }
h1 span { font-size:60%; color:#666; font-weight:normal; }
#info { background:#f6f6f6; }
#info ul { margin: 0.5em 4em; }
#info p, #summary p { padding-top:10px; }
#summary { background: #ffc; }
#explanation { background:#eee; border-bottom: 0px none; }
</style>
</head>
<body>
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
<p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
<p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for “same-origin” requests.</p>
</div>
<div id="explanation">
<p><small>More information is available with DEBUG=True.</small></p>
</div>
</body>
</html>
Since the app would be way more useful if this would work, this is a pretty high priority for paperless_app.
I would look into this myself but I guess the cause is hidden deep in the Django framework which I am unfamiliar with 😕
Any pointers on what I should look at?
Hey all, hope you're well :)
After a quick search it looks like this is the cause of qcasey/paperless_share#7 too.
Posting for a token with PAPERLESS_AUTO_LOGIN_USERNAME
set gives us a 403:
$ http POST http://192.168.1.17:8000/api/token/ username=casey password=REDACTED
HTTP/1.1 403 Forbidden
allow: POST, OPTIONS
content-language: en-us
content-length: 46
content-type: application/json
date: Thu, 05 Aug 2021 17:23:16 GMT
referrer-policy: same-origin
server: uvicorn
set-cookie: csrftoken=K3f2SO3GiSrPjpM5nNySKfZ76A2fbUjXwQoWZRbFb5G5lkpigpNqeH1XkSyTNqHF; expires=Thu, 04 Aug 2022 17:23:17 GMT; Max-Age=31449600; Path=/; SameSite=Lax
set-cookie: sessionid=tq4ss7tqzikznl1xk053wi5ci9i3hg0r; expires=Thu, 19 Aug 2021 17:23:17 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
vary: Cookie, Accept-Language, Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
{
"detail": "CSRF Failed: CSRF cookie not set."
}
Similar error when posting a document, with or without basic auth:
HTTP/1.1 403 Forbidden
content-language: en-us
content-length: 1382
content-type: text/html
date: Thu, 05 Aug 2021 17:31:21 GMT
referrer-policy: same-origin
server: uvicorn
set-cookie: csrftoken=5OgTyn8tkZ2wh1PktrbwsFAOTBgNRGjO4zQfQV1gAfgiBbMSEtart3nwY1qawVVz; expires=Thu, 04 Aug 2022 17:31:22 GMT; Max-Age=31449600; Path=/; SameSite=Lax
set-cookie: sessionid=3poikybv9zultt8csgsacvkn40tssgh4; expires=Thu, 19 Aug 2021 17:31:22 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
vary: Cookie, Accept-Language, Origin
x-api-version: 2
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-version: 1.4.5
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="robots" content="NONE,NOARCHIVE">
<title>403 Forbidden</title>
<style type="text/css">
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; background:#eee; color:#000; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; margin-bottom:.4em; }
h1 span { font-size:60%; color:#666; font-weight:normal; }
#info { background:#f6f6f6; }
#info ul { margin: 0.5em 4em; }
#info p, #summary p { padding-top:10px; }
#summary { background: #ffc; }
#explanation { background:#eee; border-bottom: 0px none; }
</style>
</head>
<body>
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
<p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
<p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for âsame-originâp>
</div>
<div id="explanation">
<p><small>More information is available with DEBUG=True.</small></p>
</div>
</body>
</html>
Okay, as it turns out this actually was a different issue.
curl -X DELETE https://paperless.example/api/document/1/
works whereas curl -X DELETE https://paperless.example/api/document/1
doesn't.
Sorry for the confusion! Everything works as expected now.
Describe the bug If I activate auto login with
AUTO_LOGIN_USERNAME
I receive a 403 error from/ws/status/
after uploading a document. The progress is not updated on the dashboard.To Reproduce Steps to reproduce the behavior:
Expected behavior The connection to
/ws/status/
should not return an error and the progress should update on the dashboard.Relevant information