Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve CSRF and SPA (CSRF_COOKIE). #972

Merged
merged 1 commit into from
May 2, 2024
Merged

Improve CSRF and SPA (CSRF_COOKIE). #972

merged 1 commit into from
May 2, 2024

Conversation

jwag956
Copy link
Collaborator

@jwag956 jwag956 commented May 2, 2024

We used to set the CSRF_COOKIE (if configured) at the end of a successful authentication. For 2-factor that meant that /tf-validate needed to have the CSRF-HEADER set manually (as well as /login). There seems no reason not to set the CSRF-COOKIE on GET /login - just as we return the csrf_token - so that all endpoints can use the cookie if wanted (which is what many js frameworks do).

There appeared to be no CSRF tests for logging in with unified sign in - now there is.

closes #965

@jwag956
Improve CSRF and SPA (CSRF_COOKIE).
098e964 
We used to set the CSRF_COOKIE (if configured) at the end of a successful authentication. For 2-factor that meant that /tf-validate needed to have the CSRF-HEADER set manually (as well as /login).
There seems no reason not to set the CSRF-COOKIE on GET /login - just as we return the csrf_token - so that all endpoints can use the cookie if wanted (which is what many js frameworks do).

There appeared to be no CSRF tests for logging in with unified sign in - now there is.

closes #965
@codecov Codecov
Copy link

codecov bot commented May 2, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.41%. Comparing base (362ec76) to head (098e964).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #972   +/-   ##
=======================================
  Coverage   98.40%   98.41%           
=======================================
  Files          35       35           
  Lines        4527     4531    +4     
=======================================
+ Hits         4455     4459    +4     
  Misses         72       72

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jwag956 jwag956 merged commit 51d2355 into master May 2, 2024
19 checks passed
@jwag956 jwag956 deleted the csrf965 branch May 2, 2024 20:30
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

json api 2 factor validate returns 400 "You currently do not have permissions to access this page"
1 participant
@jwag956