[Bug 37056] New: CSRF error on login when user js contains a fetch of svc/report
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Bug ID: 37056 Summary: CSRF error on login when user js contains a fetch of svc/report Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org It is quite common for libraries to add JS to fetch report results using svc/report on the intranet Currently, this will break logins, because svc/report uses "get_template_and_user" to verify against "intranet-main.tt" This generates a new csrf token, and fails the login. To recreate: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #1 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 167580 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167580&action=edit Bug 37056: Don't generate new CSRF token when fetching a report using the svc API To test: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO 6 - Apply patch 7 - Restart all 8 - Repeat login 9 - Success! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #2 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 167581 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167581&action=edit Bug 37056: (Non-working POC) Attempt to preserve 403 response The former patch will prevent the issue, however, it makes svc/report return 200 when not authorized. I thought maybe the issue was that we were generating a new csrf token on the 403 page/template and tried to prevent that on this patch, however, it doesn't work. Looking for some help on this one -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au, | |jonathan.druart@gmail.com, | |julian.maurice@biblibre.com | |, m.de.rooy@rijksmuseum.nl, | |martin.renvoize@ptfs-europe | |.com, tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |major -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167580|0 |1 is obsolete| | Attachment #167581|0 |1 is obsolete| | --- Comment #3 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 167610 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167610&action=edit Bug 37056: Mount a new intranet_svc api to avoid redirects When an unauthroized call to svc is made, we use the ErrorDocument middleware to respond with an HTML page. The API doens't do this, it simply returns its status. We should mount the svc as it own app to avoid the redirect to HTML for unauthroized responses To test: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO 6 - Apply patch 7 - Reset all (or copy the necessary changes to your plack/apache files) 8 - Generate report and update user js again 8 - Logout, login 9 - Success! -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #4 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 167611 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167611&action=edit Bug 37056: Add app endpoint for OPAC SVC I think this needs to happen on another bug, there are several scripts here that use templates for auth as well as shelfbrowser.pl which does return rendered html - so maybe shouldn't be treated this way -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |nick@bywatersolutions.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167611|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167610|0 |1 is obsolete| | --- Comment #5 from Brendan Lawlor <blawlor@clamsnet.org> --- Created attachment 167617 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167617&action=edit Bug 37056: Mount a new intranet_svc api to avoid redirects When an unauthroized call to svc is made, we use the ErrorDocument middleware to respond with an HTML page. The API doens't do this, it simply returns its status. We should mount the svc as it own app to avoid the redirect to HTML for unauthroized responses To test: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO 6 - Apply patch 7 - Reset all (or copy the necessary changes to your plack/apache files) 8 - Generate report and update user js again 8 - Logout, login 9 - Success! Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Comment on attachment 167617 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167617 Bug 37056: Mount a new intranet_svc api to avoid redirects Review of attachment 167617: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=37056&attachment=167617) ----------------------------------------------------------------- I think overall this is probably the way to go in order to get proper API responses. Going to Fail QA for now because of an unnecessary change and an incorrect path for the prod app root. ::: debian/templates/plack.psgi @@ +56,5 @@
root => $ENV{DEV_INSTALL}? $home: "$home/intranet/cgi-bin" )->to_app;
+my $intranet_svc = Plack::App::CGIBin->new( + root => $ENV{DEV_INSTALL}? "$home/svc": "$home/svc/cgi-bin"
That prod path looks wrong. I think it would need to be $home/intranet/cgi-bin/svc. @@ +121,4 @@
enable "+Koha::Middleware::CSRF"; $intranet; }; + mount '/intranet_svc' => builder {
I'm a bit concerned about the impact of mounting another PSGI application, although I don't have any numbers to support that concern at the moment. That said, I've proposed the same thing in bug 31380 and friends. There could be merit to this as well, since it is an API so we wouldn't want the normal HTML exception handling... ::: errors/403.pl @@ +33,4 @@
authnotrequired => 1, } ); +$template->param(
This change looks unnecessary. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167617|0 |1 is obsolete| | --- Comment #7 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 167692 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167692&action=edit Bug 37056: Mount a new intranet_svc api to avoid redirects When an unauthroized call to svc is made, we use the ErrorDocument middleware to respond with an HTML page. The API doens't do this, it simply returns its status. We should mount the svc as it own app to avoid the redirect to HTML for unauthroized responses To test: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO 6 - Apply patch 7 - Reset all (or copy the necessary changes to your plack/apache files) 8 - Generate report and update user js again 8 - Logout, login 9 - Success! Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |critical -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #8 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- It seems you can workaround by preventing the JS from firing at login: $(document).ready(function() { // Your report ID var reportId = '1'; if( $('body #main_auth').length > 0 ){ // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); } }); -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|critical |blocker -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |martin.renvoize@ptfs-europe |y.org |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167692|0 |1 is obsolete| | --- Comment #9 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 168342 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=168342&action=edit Bug 37056: Mount a new intranet_svc api to avoid redirects When an unauthroized call to svc is made, we use the ErrorDocument middleware to respond with an HTML page. The API doens't do this, it simply returns its status. We should mount the svc as it own app to avoid the redirect to HTML for unauthroized responses To test: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO 6 - Apply patch 7 - Reset all (or copy the necessary changes to your plack/apache files) 8 - Generate report and update user js again 8 - Logout, login 9 - Success! Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #10 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Working well for me, code reads OK and there's not QA failures or regressions. Passing QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |24.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #11 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |additional_work_needed --- Comment #12 from Jonathan Druart <jonathan.druart@gmail.com> --- # Failed test 'Patron cannot access svc script where circulate permissions are required' # at t/db_dependent/selenium/authentication.t line 135. # 'An Error Occurred' # doesn't match '(?^u:Error 500)' # Looks like you failed 1 test of 17. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |blawlor@clamsnet.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |37283 Keywords|additional_work_needed | --- Comment #13 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to Jonathan Druart from comment #12)
# Failed test 'Patron cannot access svc script where circulate permissions are required' # at t/db_dependent/selenium/authentication.t line 135. # 'An Error Occurred' # doesn't match '(?^u:Error 500)' # Looks like you failed 1 test of 17.
See bug 37283. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37283 [Bug 37283] t/db_dependent/selenium/authentication.t is failing -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|martin.renvoize@ptfs-europe | |.com | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37741 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00,24.05.06 released in| | Status|Pushed to main |Pushed to stable --- Comment #14 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m Status|Pushed to stable |Needs documenting --- Comment #15 from Fridolin Somers <fridolin.somers@biblibre.com> --- Koha::Middleware::CSRF not in 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=38327 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #16 from David Cook <dcook@prosentient.com.au> --- I couldn't remember why this was done as a separate PSGI app... but then I realised it's because of the HTTPExceptions/ErrorDocument middlewares which force HTML responses. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 --- Comment #17 from David Cook <dcook@prosentient.com.au> --- As an aside, I wonder how hard it would be to actually use the REST API for this, and set up an alias from svc/report to the REST API so that existing links don't break... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED CC| |caroline.cyr-la-rose@inlibr | |o.com Resolution|--- |FIXED --- Comment #18 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- Bug fix, nothing to add/edit in the manual. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37056 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40214 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org