passbolt / lab-passbolt-py

Python library for Passbolt API
https://passbolt.com
MIT No Attribution
8 stars 7 forks source link

CSRF token from either the request body or request headers did not match or is missing. #3

Closed mabihan closed 10 months ago

mabihan commented 1 year ago

I'm using Passbolt on a self hosted environment, version 4.1.2 / 4.2.0. I get a 403 error when I follow the steps describes in this repo :

CSRF token from either the request body or request headers did not match or is missing.
AnatomicJC commented 1 year ago

Hi @mabihan

Unfortunately, I was not able to reproduce your issue. To reproduce, I ran a passbolt instance with docker-compose up from this repository: https://github.com/passbolt/lab-passbolt-ansible-poc

From there, passbolt is available on http://localhost:12380 and you can recover ada@passbolt.dev key from https://github.com/passbolt/lab-passbolt-ansible-poc/blob/main/pgp-keys/ada.asc

I tested both gnupg and PGPy without error.

Here are my config files:

For gnupg, I imported ada@passbolt.dev key before:

$ cat config.json
{
    "gpg_binary": "gpg",
    "gpg_library": "gnupg",
    "fingerprint": "064DE03152856A227FEFB0AD56BB3FB586945488",
    "base_url": "http://localhost:12380"
}

For PGPy:

$ cat config.json 
{
    "base_url": "http://localhost:12380",
    "private_key": "-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nlQdFBGHLRi0BEACtdd6YW7N1d8KuC1Yq6Wy7OOtiWuejRVbfpbRlvohpe2wINH1L\nFCktNc2sJDxpO4xWTxm8qAdjdtAswThpG4gF2UMs/mvgj9fNxp0wvGDVJaIwnpVZ\nVh6Q5THbleCz4fAnx9r5X9c11lpfmSEe3unfylT3JOJPQ+delLXyr8ZSY+qVM6vT\n3t+UH8pofedIst54sGh9ExD4FSCkspH7QVaAg233TLjP9z7DkXn2ab2rwAYImuGL\npi0uMMJsYn23STJ6qidcYC2SPbpaZca+xQijbqFtDHJQCt49Y18NEJLYhLsREg9c\nS7uDd+cI3hhmrzmYy8AroU5CzFnOblUVcoYNwQNd7YFHCc0ZsUfTl54z4RknhwI1\nhQ33g712tC2MENqZJcI4JDkrzKpzmvWYMHFyYjGIzHES57SeKiWv3lzeZcDm4Ro/\nWeO+UUsCxbiCOmAIkkrkZyheT2HQuVOeC6moR6QzOk69Q6FTgGZtnwdg6UNkp7vy\nJdE9Qpe8p4K/fDojHOqS44ts5s9k0UL6N0zBaQKHdy3QVym2tgDb1zbYrf/YcGiK\nSdV1MQcS6hDYhQ+85QnQavnHx7rr0cmO0dQrofPzB82OEhhJftZbkEAFhFZpqbys\nG8AZfV5i8oP6uVPPujuM9Caft0eYNqi8DjF0mTKrE3AvWHu5hvin4ArniQARAQAB\n/gcDAqvBWfmw7dZW//j8sRqNVeioGqnmiL1oUO9unPlrJrnI7hiiam8fkkHVfPx3\nR+dLXUXm8vyF1jWkK1Y/PUv/tEMQ3HqKTTtXL3V7+EMIADzWxMQp8nzvrVUKKCaw\nAloDSdihipSLpG7Wj9CWDY1Gfv67WtLv3y4qjMK5N0mrrVZonTF+Nkyg+gqGKGwz\nZbtm7X0x4+O7B35tDdowb8AqVFEq7Rx2vG2rAsCekD4QCRIPUmPaMezgiESsCKRE\nFDqT6hsmDbyoIEYj7CBafC+C+ekhat+oXQXfIq1yQaaJ5CIU3eRAearmjnDZOXys\n2S5qseJHPhDSyJvvShUJu83FigYBdbypRGO0Oy14yfGdAfQ1chUiWWfSA+K76liR\nwcWq5mm5qI4InTbBijZeN8fMT3Ew3qR/GpxMUiThYcUR+0AGKX72BqzZnWPDUQIJ\nccxrfmRXoMJDy+yrEeOcFv7NgBlmwjAdFPlZlZZJTy7rsTV8KI4LJknv+GLPvqMC\n+lom16mkxQ9TVqMptVxkxH+2TFoVPO/t6XkJErpLLH56Skmyg6q7bPv5eCsgS5FC\nCA5YsHU+ZDwbyx3eeQgFlwhVM0zzct3e875TuhaQtqJfUs9kfcDN4Al6rYW68AYu\nAIdNMUy71hBCM9WWkmB3/20yzIkYPN6nYokeMxNIpklqIyHsDT0TRHJo1nsVVzUB\ng8lG9u6FnaELzv+nR3TrvuAmBgb/+TQpo/aZwGAHN+ALW/rO2oR02uUqNpg3xyNI\nJ2oPYKKlMSiAR0Vk86gZyBH+HxQwTLs+Ojl08L0X+NJksJdIkzD4tCEg6c6UBuTJ\n6PX4XUz6S8CfwwT6LNcatp34y6PpUAKVCYvQR4c6RXSlQzcLb79jJbLvtd9s8MVX\n5HI98vVUr5vwFoPxw2xzJoP62ILtzQ1F77pfcuY7a8uo6xZu0CNxfpjZUGWEC17I\n+1qENRh1kKkWjR992j6FSuQ3ncXB31PVHP1zZaMi8KlBR6/CzFHf9GhRXYeHkrGH\nth9dd5OyxPJtS8AztE+OuzXs93hz04Z3NUjPtqLIh8tybBlTfU5PZwd8o6ixwp7O\n/Lfgt+JDdCdvx1djEZ4sjYS6hy2ppMevJATFnURrQ0D17745DRHC+/izLdUgPbZI\nmYgITbVh5I+hePIywgLtkEFOST0VhwSmUqbg1u53kWwopED4h3G5rlyY2zOgITse\nk7xq3E4+THb4WJHTiFO7mjqapuLsg3cszh/DVHajkGcclz6Hlvdv80D8W11Vibod\nAHidvn+HnfB1Eac209/BJtGKuVADnVejEzXpZfrgux7Km59EQSwuWWTgWoHBiblG\nLl2SaCJGESQEyJkFX6yhh9OjvUPwCI9xAgqyoYV3IahvCJ/IiWPFxnE/1g/PurFE\nTFFyvFwj4/V9fOGECvonEhNec6qj9LJvJ4I7z7w6i007cQrme4GEq+L6GsoDVq71\nY9mdxLat3GnPN+L3oQI1M5rLc+RJ+jWU1jQ1JiLvf0fcEYQx4NvOCFIyDVdVlpeK\nHCuOruWUMy1++FbCGMD/HF8n87IpEbvc7y6P+WHOgCSdzi7yvog3AA8o1C4H5Ai5\nZ97jGK2Tw38bU1RfK8L5y9Zn1lngO/oFaDXBz/kDwERb4VsO/7dWZ05xe0qPfhF8\njFFWkeA32R0mTrJrUpm2hdmZX+Q6bI1AM9z3/pMKsiXJ6e93oLqiZNadFqxbOCUs\nYF+cciZmTiOuIaU0791I8IhH8iwzftw0nvc4kLBC88p83iyxW16mq7QfQWRhIExv\ndmVsYWNlIDxhZGFAcGFzc2JvbHQuZGV2PokCUgQTAQgAPBYhBAZN4DFShWoif++w\nrVa7P7WGlFSIBQJhy0YtAhsvBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAK\nCRBWuz+1hpRUiIb2D/9gPJmOEYlzY1xCNP0PNuww7m/SagPmEyzlCEPcpIrUQJHJ\nEaV0XDwC9pCY/goKjDO1341haRL1sTKAWkLcWTECGkeltOwV5XWY/qgCRaLatHRH\n/zB3apJ/4l4YAPNu+BWpPOF2wjFoTP3yKTQfrXJ4nopfHMJmw9y5mfApINJFu3d6\nfWcT6+4WUOqhf0+yvTw9PrKavbdrC6kKAgAEmt7uNDqB+Tbm314dL+CrvrnYz270\nF7ydKjmBoWcPM4EbcNbonWa/PKqpASiyZsU/+QEp2EInHIqLezzWOoaTDr9IsX66\nMmOtJCrx/kuTYUGRPr0DHiwLCFXUm+XkZ0KPgxPi0eBY+8c2JVJx5/TiTkn/Ii5U\n6vf8a6acvPnyWIRYcHzCF22f1uMfmgGsthdP6wDM38/XQMN+kLXRmthHHtiDhGoZ\noTuOl0KNJJgppuR/7IqO7PEbJZx6Gb/XZkiZ5nr4P1XkNEa5XUjTsQ/DFzPJE8ms\nmbFQpIEkOuuKcRjKdWVvI30l8aXDcauJ81xpxTy+BDI8N8cJe2u9bzZmBJOYW9Jn\nFRonCZ3sgteSW+BnrTHNgiHZ5d8efijlRDn+5SmtZCUKT2OK5Muc7GsA1EigUXmg\nx0408DzsuQ7CImbdNOtUs06rRjpY0oxX1yl/zyGYawOIyHNPZ7fasrTOPxI+B50H\nRgRhy0YtARAAzuzsiH4N9qnlvz9dEuWTD4iHj68ZuSgaVJNvOLxQy1yBssl5V7pB\nKQ6Lo9yHkc1EYAkAfhse0ra1QWiJ86VkiTQeYHuL4km/McTc66YHVxPm568qW1JA\nDwbVYjXGKkmAtanchCBO+u78xlwLr8c2jaWsBUzY9bEx4ANDVMEIhTEGl/A0wpfV\nHqtxDSFSCXpLfM5IVQ/qLQO0d8Blnx+akeajfrZ656S+9ZyLiGStoF9/QTznpADf\ndpcZrnPNUpqokJwm9H/6bylNrc4B3ywVidt8nBbCVuhi4iqAEbYl0/ylMLT5xAQ2\nqz8OsGoGxwP8GLJoQR6UOv2d4BLIkPDjHLE00p76JC3L2FOpevtRbx+PGAFWmcEK\nUnC+erliOJ3xtR5x5Cjx1fzSu0KguUw4Y7k9U1g5qaPAN8Hi9+iDQzdYqn4ROJfS\nDMmZbV9ttls9CbhGwJAxPBbaU0DoDsn67MwMd8s3p8/Bw+RkccZXdfMjmJk+v+dq\npcN8VbksMLbsgrBNhjFyymfYdQIdfTvl4R0I4oE+N/tvAYmHqrXnHvDIFvgmWme4\nWdHjXQi32TPN1W5Z3LGGhJ0hI4RgoaDVWQH7qoK8cmF0dZt5Cr3dbBUQPzNuOFs3\nbWecTFPqjUvNdcMGw9STE1a/gfPaRA+91cfC3RG4eRVRkMj9IJzPmP0AEQEAAf4H\nAwIMsEh1pnwbGP8M9r45x99ElrjwizP9JIhAYgm2PWhM+aRPlEp9NvQxLorkePEy\nwFlirgt746ti26N8DqILKCpakrhmpP86TdIfY7/NIdtcjlfKKnXg6IkUiCdMUNiu\n0gaEgYt+ilT1tyuHYRV4GkhL4xUbOcrR/fLBtQ4+UoP9Oy/vjb8pO6FPW+iJACzq\ntH1nGtMsW3Cu4SVGHlyn6J9Mz4JzBbPQyQ+Ll7LtoTKC+IDJdYSalsA1B8/k2lB+\nkshOcgl6cAavAgoSdWgu54LbJXM8NJWqor14IdV/ruUzjwlvAo5/9BNEkfBTSWg8\nt8KBCsr0/+IgYCTRRo//4Ozo0UO3LV5bds5Tm/tnyO/1JaYG1Ib7gXks/8tAEREw\nnTLXXg6lpBL5+ECM+EhSSWFuA3dvhyQH0iX3cWMa4tTmPMbnjSlsP1iyPq0Ly56k\nEUZUmZaHITT2NeJQ9klqxOwcUf6OguYtCpkUFplbChToKuQtCj6ySq/czU7y4twH\n6rBFusqP3sGYzB78X+letWv7KYY3F/s9jc9JSBJ397lMGnzGzdK/4II8tuatsVVD\nSvlmRWNDi1hDNwRNSbxnJJWkAufe9W132jHKivgluMdLCi09GaufsIH4Dt6NJizl\nyv6h78oa1fcGXAveZknQF+dhLfqMaPnGqjnNFACWvaFZQcKwm9kA8hS8dHVWNqQm\nXzjOZJct6sp7BRgDrEnZlhCR30zzeJH2uN7GckT70OPNJtVP/txrIYLT/zQOoVIP\nZIuly3FFtkRSftZZVb3tHKsWDA/S4TQLhAXTwSCRYa5vYOty1R/nrvQWvvWCqV3K\ndtHED2wX7jIo+StXfKTqBvBdPPA8Sprwl2Hv8S/N2PeUqqUkauuFke0BDZUBB7Xy\nD5Lf74xkaYglW8OV4fJ6Fvm5YhJNrsc+YI8xd5XKxuUnVLUDS/98H9MMu5hOTyms\ncseABSZS4tT/c8JsL5ABMA5nmom7/4Zu1rj9Pp2qPuMI0402wD8ZPsgizDGCkNnk\nSDfSW2HsUmrgiY2HfQW3yoNJdjcl4ubK7J7ObKjIV0LykRSFx9cXaDoBkEEgqMzn\nKxHa0KfX+D7O4Aj/7NIFNuI+S6Lb9t2ajZnb7OdHZF9gZhTx8kJNQXyKOg0gZ+jP\nrRT3lJTQqvAkbLpSWX/+UgNm+QMewNId7uc02VFoO8XjZw8lYa2QyI9+ECUTwVX3\nF4Xd9KwlPyEifzIOG0bkCp77y6ckMpiou+QEVuakjmLAHuGje6YzOre5wvOPBPX7\nLT4rVLsZ1bfVWjn8tiiZvxauokcXc4dpxtNsqaDovPTjvrJY/PHElOZbnPXlDL4m\njX4uAFowiQoAh2DiX5WYvUFCJp2EF7MKoN3wwSw2u+fEkyyYBeVVyOBm5+/XeK7K\nST7N/ioCapDKklTaG/kfA6MkZI9qnFFO1VM5yqPFU/KjzAACZarcLBdASqLJGP0Q\niiuzJKY9xAMHzpLj14IXTx0BsH2S0RsZQTbLWKvOpdKM46haCEd5K/XN5O+ljx6y\nhQQVafSamI3r2lMCa3ZM01A0wuxGZBwIu0abeRfWXoi0SE+4o8/72TPc9Gvjhy2b\nT1SdXoxf9XHEMRfk8BS3FdJYBhRZmKUmPIX1C7HkzctpwRBx5rOyYBZw5jc7zh3Z\nMUH8JK0BgFyof/F+sa7BAjMF0VEaKEDV8QNWSagw9bkZmm6BoQ3lJ1goDRYmNHsE\nHpgCB24BCrzzah3aj426Qgxs6vvedwTPAIQDdGh/HKnZDDQQ9vE1iQRsBBgBCAAg\nFiEEBk3gMVKFaiJ/77CtVrs/tYaUVIgFAmHLRi0CGy4CQAkQVrs/tYaUVIjBdCAE\nGQEIAB0WIQQEDgSI2w8QOPPaICn4oEoptnbo+AUCYctGLQAKCRD4oEoptnbo+CZF\nD/95cf1D7MCLj6tUH0nGJBlxeg9VWUFQkZh8NEhWfqAnbCncKTzsN3XwBYjx/cAG\nruZj4be5OLOrGbG8asjYZaMSK7+dOLJfpHH45kFykI6zlMCRn8czjs5/KPxd9fPK\nuecvQmfNhuqlYEZSkOjtDhc68ZUqKWuTiTe5GgJPfpuvfK4jei8Bp32MwaQJEqrV\nnmySz5lcu/nYc28u0iBa5izYfW92X9H/5c5pTnaJWYynrqF8XHYE1kKHm+9wZ7DU\n66QArN1/xAuY36kTKfeqWTX69FlFlaMzdTcAca4bPQ6Etb4N4Kg/c7Otq0g8ingm\nezDrBJtAZF3t1vZ90xjTqF9YX61FD7jg5IKP6zhYQQx6X0uu6RT0ogXqr/hM6Ofz\n3AjwcxJRHzNRomWkYmXn4TZgUbK8H/Py6i3A444tLi+RfKEbzcOrxeULdZv9mBBh\nJe2HEbY7iplC24tj9Q4WePSKqe3jyMKSO0XNSA4FlK3ZYYxhY7/chw448B5rInMX\nJpH1h/ZnMH67xAY/5J1nAiaivufJL+j9UAWgTOofx2oJUN1Cg1a5NKD5Hk55XxNH\nX3g6BJRcFmWPui1/pv54ST/VMiALWVRAbhmRSaDa3WHLo1gfX2BY3oy5WrBWiNVQ\nqmwA/xkX3ojvjeQfg6ONYL7ylQJciJ7vf8gRwXfILnGLFkd2D/9+uncyiKObgtLu\nH/lTE3MttQ8nnz6KTxEFSbElhHtH0LbEwWbJ2smA2Iu0x1IJ2j4l8B+df4LMR7Y8\n8EP7jZwIn+7+LQk6V79zjxu8j4YQpQuiWqgOnUcfGCq8umFdQq/NEcuSG0+ZzJWW\nkmPTe/sr8Ce5+UhbRfDJlm6ppUOTbveJSvGLcNSS0wAtToPD6tbYEY6TRJmRVuPj\nXvJ5V91jHce1O1iMeGkH0LuFhukhTIw9DNZ0h8+Dmv/12ZR5Mb0zUBHe5T3okwcj\nmAxs1VrPjvYg3weTHAS1Fr2M04pW1yY2aNnBU2Lf8/6bVDHuDBclk98FT933TNWO\nJws5iLhph5NBK/J2ocDV407z/KkPmganhXnaYn8/gSWPu2j5uIoNRcs8ccGakFeF\na4j0+e/ibnclRHH/Ig2c427XGvCScD+krMOeGg8DRAVa2eckLDKmymY+lRkHeqnx\n0xfbCa5eVFCUslk6LLA29Q3lCwwidM+/Wqh0M52YArkyG5OLqRimEdzJF28qsNNK\n0mc79RR1c7eFLvkLMNyaJK6Q9kVe9ta6pWCPe/7vVy741Sci971N2I6xMofZDYqB\n2t8G2+MnLCkY5Zw+dgX7sCh1DLsSUbyN3Ux09tuv1LXkWZX2njjQ528Cd2JgdfuY\nv04k4WsQApMcVvv2Ja5Wo/+EjvSjuw==\n=9/Z2\n-----END PGP PRIVATE KEY BLOCK-----\n",
    "passphrase": "ada@passbolt.dev"
}

So I guess there is something specific on your local environment. You can write a post on https://community.passbolt.com to get more traction on your issue.

Best,

paulfi94 commented 11 months ago

Hey. im also running into this problem. (Passbolt Version 4.4.0).

I found out that the get_cookies function extracts the csrf-token by stripping the last 8 chars from the cookies. But it seems like there are more than 8 chars following the token. I found 16 chars: csrfToken=abcd1234; path=/; secure. So ; path=/; secure has to be stripped not only ; secure

What worked for me now was editing the get_cookie function: from self.token = token[10:-8] to self.token = token[10:-16]

A more robust way would be to strip everything after the first semicolon to make sure everything is bein stripped after the csrf-token

https://github.com/passbolt/lab-passbolt-py/blob/c84d7b94611977baf3b5377f3eb3acd0d4d205a6/passbolt/__init__.py#L139C4-L145C60

eddie4 commented 10 months ago

Perhaps replacing line 144 with

self.token = token.split(';')[0].split('=')[1]

However am no python programmer so there might be a better way of doing it.

AnatomicJC commented 10 months ago

Hi,

Thank you all for your input and details about this issue. I just published a 0.0.17 release including a fix for this issue.

Please update and let me know if you encounter any issues.

https://pypi.org/project/py-passbolt/

Cheers,

AnatomicJC commented 10 months ago

I pushed a 0.0.18 version as 0.0.17 contained a typo about the python-gnupg dependency version.

https://github.com/passbolt/lab-passbolt-py/commit/64bec9b2fc007bc0a36e9eb53b3c1e181a69d6d4

eddie4 commented 9 months ago

Can confirm problem has been solved.