Remove CSRF protection from CSRF endpoint

Bug #1844796 reported by Huw Wilkins
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
High
Blake Rouse

Bug Description

When posting to the CSRF endpoint it currently requires a csrf token.

Related branches

Changed in maas:
importance: Undecided → High
status: New → Triaged
Changed in maas:
milestone: none → 2.7.0alpha1
status: Triaged → In Progress
Changed in maas:
status: In Progress → Fix Committed
Revision history for this message
Huw Wilkins (huwshimi) wrote :

Hi Blake, just took another look at this and it looks like it takes the CSRF token from the current request which is unique to that request. We use the CSRF token for the websocket URL which checks against the token stored in the csrftoken cookie.

We also need a CSRF token when posting to the login endpoint, but that token would need to the correct one for that request.

Maybe we need to approach this CSRF token stuff a bit differently. Might be worth catching Kit in your afternoon to see if there's a way we can make this work.

Revision history for this message
Huw Wilkins (huwshimi) wrote :

I should have also mentioned that for posting to login we'd need to be able to get a CSRF token unauthenticated.

Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.