search

ubccr / mokey

FreeIPA self-service account management portal
BSD 3-Clause "New" or "Revised" License
192 stars 47 forks source link

Getting "Forbidden - CSRF token invalid" #13

Closed hanej closed 6 years ago

hanej commented 6 years ago

I looked through the code, documentation, and previous issues but haven't been able to resolve my issue. I set both auth_key and enc_key to random 32 characters but when I log in I get the "Forbidden - CSRF token invalid" message. There are no messages from mokey when run from the command line. SSL is disabled as we will be proxying this through a load balancer. Is there another place to look for debug logs? Any idea why I would be getting this message?

# /usr/bin/mokey -d server
INFO[0000] Using template dir: /usr/share/mokey/templates
INFO[0000] IPA server: localhost
WARN[0000] **WARNING*** SSL/TLS not enabled. HTTP communication will not be encrypted and vulnerable to snooping.
INFO[0000] Running on http://0.0.0.0:9000
INFO[0307] Redirect URL                                  wyaf=/
hanej commented 6 years ago

I will change my tokens to another random 32 character string but this is what I have configured now.

#------------------------------------------------------------------------------
# Secure webserver port to listen on
#------------------------------------------------------------------------------
port: 9000

#------------------------------------------------------------------------------
# Insecure redirect host and port. If set will redirect http to https
#------------------------------------------------------------------------------
# insecure_redirect_port: 80
# insecure_redirect_host: localhost

#------------------------------------------------------------------------------
# Webserver interface to listen on
#------------------------------------------------------------------------------
bind: "0.0.0.0"

#------------------------------------------------------------------------------
# SSL certificate
#------------------------------------------------------------------------------
# cert: "/path/to/cert"

#------------------------------------------------------------------------------
# SSL private key
#-------------------------------------------------------------------
# key: "/path/to/key"

#------------------------------------------------------------------------------
# Min password length
#------------------------------------------------------------------------------
# min_passwd_len: 8

#------------------------------------------------------------------------------
# Authentication key used for HMAC token signing and secure cookies
#------------------------------------------------------------------------------
auth_key: "rbAk9oAyyIF9On3TfvF8MLP2MvogYGiN"

#------------------------------------------------------------------------------
# Encryption key used for encrypting cookies
#------------------------------------------------------------------------------
enc_key: "x8yiNJPNK43azdggEgpTMdjPEu9lZf6G"

#------------------------------------------------------------------------------
# Templates directory
#------------------------------------------------------------------------------
templates: /usr/share/mokey/templates

#------------------------------------------------------------------------------
# Force Two-Factor authentication on login. If enabled users will be required
# to provide their security question (if OTP is disabled) in addition to their
# password when logging in. Defaults to true
#------------------------------------------------------------------------------
force_2fa: false

#------------------------------------------------------------------------------
# Require security question for password resets. If disabled, users will not be
# required to enter their security question when resetting their password. They
# will only need the link sent to their email address. Disabling this option is
# not recommended. Defaults to true
#------------------------------------------------------------------------------
require_question_pwreset: false

#------------------------------------------------------------------------------
# FreeIPA server hostname (defaults to /etc/ipa/default.conf)
#------------------------------------------------------------------------------
ipahost: "localhost"

#------------------------------------------------------------------------------
# Keytab file for mokey (should have "Modify users and Reset passwords"
# privilege in FreeIPA)
#------------------------------------------------------------------------------
keytab: "/etc/mokey/keytab/mokey.keytab"

#------------------------------------------------------------------------------
# Enable rate limiting based on remote ip (requires redis)
#------------------------------------------------------------------------------
rate_limit: false
aebruno commented 6 years ago

Which version of mokey are you running?

hanej commented 6 years ago

The latest. V0.0.6

aebruno commented 6 years ago

The CSRF cookie requires HTTPS by default. Try setting this config option in mokey.yaml:

develop: true

This disables HTTPS for CSRF.

hanej commented 6 years ago

I’ve tried that as well and got the same result

hanej commented 6 years ago

I've must have tried a different combination that didn't work before. I just changed develop: true and it's working now. Thank you for your help.

aebruno commented 6 years ago

@hanej No problem. Glad to hear you got it working.