Contrib.social

[PP-1] Disable CSRF token check for non-CSRF vulnerable authentication providers

Open on Drupal.org →
Created on 16 May 2019, over 5 years ago
Updated 30 January 2023, almost 2 years ago

We have an App using simple_oath with Bearer tokens to authentication method. After updating core from 8.6.15 to 8.71 we started getting "X-CSRF-Token request header is missing" when doing something other than GET requests to REST or JSONAPI endpoints.

So why Drupal started to require X-CSRF-Token if the authentication is done by Bearer token which is not a browser? Also I am not sure if is the job of contrib simple_oath module to deal with CSRF-Token because of https://www.drupal.org/project/drupal/issues/2753681 ?

Screenshot explains the issue.

Feature request
Status

Needs work

Version

10.1

Component
Base 

Last updated 1 day ago

Created by

🇩🇪Germany TipiT Hamburg

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Comment almost 2 years ago
    🇺🇸United States bradjones1 Digital Nomad Life

    A similar logic is happening on the CSRF header access check - it simply tests whether there's a session loaded (presumably) as the result of cookie usage.

    https://git.drupalcode.org/issue/drupal-3343031/-/blob/175c46afabb6cfdb1...

    I think the same criticism as I cited above regarding "...we need a service which keeps track of which authentication provider was *actually* used for the current request..." applies to that test, as well.

  • Comment about 1 year ago
    🇭🇺Hungary mxr576 Hungary

    I agree with much of the analysis in #26, particularly:

    I think to solve this properly, we need a service which keeps track of which authentication provider was *actually* used for the current request, and then the CSRF access check can use that service to be *sure* about what is actually going on during this request and only fire if the session cookie is not only present but also actively being used to authenticate the user.

    I just would like to add that watch out with a solution like this, do not make the system more dependent on state as it is currently, because that is going to work against us to solve #2218651

  • Comment about 1 year ago
    🇺🇸United States bradjones1 Digital Nomad Life

    I just would like to add that watch out with a solution like this, do not make the system more dependent on state as it is currently

    I get where you're going and have been active on that linked issue, however if the information is on the request, I think that's totally compatible with persistent servers. Authentication providers are authenticating a particular request, and so storing this information there should not poison anything else.

  • Comment about 1 year ago
    🇭🇺Hungary mxr576 Hungary

    super! :)

    and so storing this information there should not poison anything else.

    +1

  • Comment about 1 year ago
    🇬🇧United Kingdom shenzhuxi

    The key_auth module got the same problem. https://www.drupal.org/project/key_auth/issues/3174961

  • Comment 2 months ago
    🇨🇳China lawxen

    I got this problem
    The comment by Wim Leers on #7 [PP-1] Disable CSRF token check for non-CSRF vulnerable authentication providers Needs work helped me find the root cause: Send jwt(Bearer token) and Basic Auth together. Thanks @Wim Leers

    Remove Basic Auth and restart my postman, error disappeared.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024