[PP-1] Disable CSRF token check for non-CSRF vulnerable authentication providers

Created on 16 May 2019, about 5 years ago
Updated 31 October 2023, 8 months ago

We have an App using simple_oath with Bearer tokens to authentication method. After updating core from 8.6.15 to 8.71 we started getting "X-CSRF-Token request header is missing" when doing something other than GET requests to REST or JSONAPI endpoints.

So why Drupal started to require X-CSRF-Token if the authentication is done by Bearer token which is not a browser? Also I am not sure if is the job of contrib simple_oath module to deal with CSRF-Token because of https://www.drupal.org/project/drupal/issues/2753681 β†’ ?

Screenshot explains the issue.

✨ Feature request
Status

Needs work

Version

11.0 πŸ”₯

Component
BaseΒ  β†’

Last updated about 2 hours ago

Created by

πŸ‡©πŸ‡ͺGermany TipiT Hamburg

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • πŸ‡ΊπŸ‡ΈUnited States bradjones1 Digital Nomad Life

    A similar logic is happening on the CSRF header access check - it simply tests whether there's a session loaded (presumably) as the result of cookie usage.

    https://git.drupalcode.org/issue/drupal-3343031/-/blob/175c46afabb6cfdb1...

    I think the same criticism as I cited above regarding "...we need a service which keeps track of which authentication provider was *actually* used for the current request..." applies to that test, as well.

  • πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    I agree with much of the analysis in #26, particularly:

    I think to solve this properly, we need a service which keeps track of which authentication provider was *actually* used for the current request, and then the CSRF access check can use that service to be *sure* about what is actually going on during this request and only fire if the session cookie is not only present but also actively being used to authenticate the user.

    I just would like to add that watch out with a solution like this, do not make the system more dependent on state as it is currently, because that is going to work against us to solve #2218651

  • πŸ‡ΊπŸ‡ΈUnited States bradjones1 Digital Nomad Life

    I just would like to add that watch out with a solution like this, do not make the system more dependent on state as it is currently

    I get where you're going and have been active on that linked issue, however if the information is on the request, I think that's totally compatible with persistent servers. Authentication providers are authenticating a particular request, and so storing this information there should not poison anything else.

  • πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    super! :)

    and so storing this information there should not poison anything else.

    +1

  • πŸ‡¬πŸ‡§United Kingdom shenzhuxi

    The key_auth module got the same problem. https://www.drupal.org/project/key_auth/issues/3174961 β†’

Production build 0.69.0 2024