search

ubccr / mokey

FreeIPA self-service account management portal
BSD 3-Clause "New" or "Revised" License
191 stars 46 forks source link

Form fails with "Invalid CSRF token in POST request" #140

Closed vvilaplana closed 3 months ago

vvilaplana commented 3 months ago

Vesion:

mokey-0.6.4-amd64.rpm

OS:

Red Hat Enterprise Linux release 9.4 (Plow)

Configuration:

My /etc/mokey/mokey.toml :

[site]
name = "Identity Management"
homepage = "[my.domain.com]" <- same as FreeIPA url, but without http://
help_url = ""
getting_started_url = ""
tos_url = ""
ktuser = "mokeyapp"
keytab = "/etc/mokey/private/mokeyapp.keytab"
[accounts]
default_homedir = "/home"
default_shell = "/bin/bash"
min_passwd_len = 8
min_passwd_classes = 3
otp_hash_algorithm = "sha512"
otp_issuer = "[my_domain]"
[email]
token_max_age = 3600
token_secret = "[random-string]"
smtp_host = "[aws-ses-smtp-server]"
smtp_port = 25
smtp_tls = "off"
from = "my@email.com"
[server]
listen = "0.0.0.0:8866"
session_idle_timeout = 900
secure_cookies = true
csrf_secret = "[random-string]"

Issue description:

I get mokey login form asking for an user, but whatever I enter, I get the error "Your session timed out. Please try logging in again". It looks CSRF-related, because mokey logs show this:

level=error msg="Invalid CSRF token in POST request" path=/auth/login
level=error msg=Forbidden code=403 path=/auth/login username="<nil>"

Things I tried to no avail:

Workaround:

The only way to fix this is by configuring secure_cookies = false in [server] section of mokey.toml, but this is not an acceptable solution for a production environment.

Aterfax commented 3 months ago

It is unclear if you are running Mokey with SSL? Secure cookies will not be possible without SSL.

Do you have the following set with a valid certificate and key in the [server] section?

ssl_cert = "/path/to/my/cert.pem"
ssl_key = "/path/to/my/key.pem"
vvilaplana commented 3 months ago

spot on! it's not clearly mentioned in the doc, so i thought CSRF was unrelated to the cert. cheers!