CSRF not ignored on /session/*/extend when redirecting from public API - Githubissues

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.

https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos

Apache License 2.0

11.24k stars 963 forks source link

CSRF not ignored on /session/*/extend when redirecting from public API #2640

Closed jonas-jonas closed 2 years ago

jonas-jonas commented 2 years ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] This issue affects my Ory Cloud project.
[X] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When using both public and admin API endpoints, requests to /session/{id}/extend are failing because of CSRF errors.

Reproducing the bug

Set up an express app using the Ory SDK and public URL of kratos
Login
Hit the /session/whoami endpoint
Hit the /session/{id}/extend endpoint with the ID of the session

Observe a CSRF Failure

Relevant log output

No response

Relevant configuration

No response

Version

v0.10.1

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

See https://ory-community.slack.com/archives/C012RJ2MQ1H/p1659544480992179

jonas-jonas commented 2 years ago

Duplicate of #2648