Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PXP-7565): Exclude Fence register-user blueprint from CSRF check #1580

Merged
merged 1 commit into from
Apr 26, 2021
Merged

(PXP-7565): Exclude Fence register-user blueprint from CSRF check #1580

merged 1 commit into from
Apr 26, 2021

Conversation

vpsx
Copy link
Contributor

@vpsx vpsx commented Apr 19, 2021
edited
Loading

TLDR:
The revproxy currently implements CSRF checks using the cookie-to-header method.
Fence's new registration form, like other HTML forms, is not compatible with this method. The usual way to implement CSRF protection with HTML forms is using a hidden form field.
So here we exclude the Fence registration endpoints from the revproxy CSRF check. This is OK because Fence implements its own CSRF checks.

Here is the relevant Fence PR (implementing registration endpoints) uc-cdis/fence#906

For the record, more background on cloud-auto CSRF history:

Fence has been operating under the assumption that it manages its own CSRF token.
But actually the revproxy rewrites the token and performs its own CSRF checking.

At time of PR, the revproxy CSRF check looks like this.
That code can be traced back to this commit and this commit.

At some point between then and now, the "return 403 failed csrf check" bit migrated from the main nginx.conf into the individual *-service.conf files.

Jira Ticket: PXP-7565

New Features

Breaking Changes

Bug Fixes

Improvements

Dependency updates

Deployment changes

@vpsx vpsx mentioned this pull request Apr 19, 2021
Merged
@vpsx vpsx merged commit fb77af1 into master Apr 26, 2021
@vpsx vpsx deleted the fix/register-bp-no-csrf branch April 26, 2021 14:35
@PlanXCyborg PlanXCyborg mentioned this pull request Aug 27, 2021
Merged
This was referenced Sep 7, 2021
Closed
Merged
Closed
Closed
Closed
Merged
Merged
This was referenced Sep 14, 2021
Merged
Merged
Merged
Merged
Closed
Merged
Merged
@PlanXCyborg PlanXCyborg mentioned this pull request Sep 21, 2021
Merged
This was referenced Nov 23, 2021
Merged
Closed
Merged
Merged
Closed
Closed
Merged
This was referenced Dec 10, 2021
Merged
Merged
Merged
@PlanXCyborg PlanXCyborg mentioned this pull request Jan 10, 2022
Merged
This was referenced Mar 7, 2022
Closed
Merged
This was referenced Mar 21, 2022
Merged
Merged
Merged
This was referenced Mar 29, 2022
Closed
Closed
This was referenced Apr 30, 2022
Closed
Closed
This was referenced Jun 23, 2022
Closed
Closed
@PlanXCyborg PlanXCyborg mentioned this pull request Jul 21, 2022
Open
@PlanXCyborg PlanXCyborg mentioned this pull request Sep 14, 2022
Merged
@PlanXCyborg PlanXCyborg mentioned this pull request Oct 21, 2022
Closed
This was referenced Dec 18, 2023
Open
Open
Open
Open
@github-actions github-actions bot mentioned this pull request Aug 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jawadqur jawadqur jawadqur approved these changes

Assignees
No one assigned
Labels
skip-awshelper-build-wait skip-gen3-helper-tests test-portal-homepageTest
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vpsx @jawadqur @PlanXCyborg