Remove CSRF protection from CSRF endpoint
Bug #1844796 reported by
Huw Wilkins
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| MAAS |
Fix Released
|
High
|
Blake Rouse | ||
Bug Description
When posting to the CSRF endpoint it currently requires a csrf token.
Related branches
~blake-rouse/maas:fix-1844796
- MAAS Lander: Needs Fixing
- Adam Collard (community): Approve
-
Diff: 34 lines (+5/-0)2 files modifiedsrc/maasserver/views/account.py (+2/-0)
src/maasserver/views/tests/test_account.py (+3/-0)
| Changed in maas: | |
| importance: | Undecided → High |
| status: | New → Triaged |
| Changed in maas: | |
| milestone: | none → 2.7.0alpha1 |
| status: | Triaged → In Progress |
| Changed in maas: | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Huw Wilkins (huwshimi) wrote | #1 |
Revision history for this message
| Huw Wilkins (huwshimi) wrote | #2 |
| Changed in maas: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Hi Blake, just took another look at this and it looks like it takes the CSRF token from the current request which is unique to that request. We use the CSRF token for the websocket URL which checks against the token stored in the csrftoken cookie.
We also need a CSRF token when posting to the login endpoint, but that token would need to the correct one for that request.
Maybe we need to approach this CSRF token stuff a bit differently. Might be worth catching Kit in your afternoon to see if there's a way we can make this work.