[Bug 42876] New: Update CSRF token to not reach it does not expire
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 Bug ID: 42876 Summary: Update CSRF token to not reach it does not expire Initiative type: --- Sponsorship --- status: Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: jonathan.druart@gmail.com Reporter: jonathan.druart@gmail.com QA Contact: martin.renvoize@openfifth.co.uk CC: dpavlin@rot13.org Target Milestone: --- Once the token is expired the user has to refresh the Vue app. It should be done in the background. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36369 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36369 [Bug 36369] Make APIClient be more useful -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=34451 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Update CSRF token to not |Update CSRF token to not |reach it does not expire |reach its expiration limit -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 --- Comment #1 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 200648 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=200648&action=edit Bug 42876: Add /auth/csrf to generate a new CSRF token Patch from commit 9ef2939 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 --- Comment #2 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 200649 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=200649&action=edit Bug 42876: Fetch a new CSRF token every 6 hours The CSRF token expires after 8 hours Koha/Token.pm 64 use constant CSRF_EXPIRY_HOURS => 8; # 8 hours instead of 7 days.. The session expires after 1 day by default C4/Auth.pm 816 my $timeout = C4::Context->preference('timeout') || $default_timeout; This patch suggests to fetch a new CSRF token every 6 hours so that Vue apps users can continue to use the logged in session without getting 403 and needed to refresh the app. Test plan: 1. edit koha-tmpl/intranet-tmpl/prog/js/fetch/koha-api-client.js Locate line 219 `6 * 3600 * 1000` Replace with 10000 (for 10 seconds) 2. Rebuild % yarn api:bundle && yarn js:build && koha-plack --reload kohadev 3. Open the browser console, tab "Network" 4. Hit /cgi-bin/koha/erm/agreements 5. Notice that a successful request to /auth/csrf is made every 10 seconds 6. Open the inspector, locate the meta tag (within head) that contains the CSRF token. Notice that it is updated every 10 seconds Assisted-by: Mistral Vibe <vibe@mistral.ai> For the JS 'interval' code -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au, | |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com --- Comment #3 from David Nind <david@davidnind.com> --- Note: Dependent bug 34451 is restricted, so you will need to be on the security team to test this bug. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |In Discussion --- Comment #4 from David Cook <dcook@prosentient.com.au> --- I've been worried about CSRF tokens expiring in Vue apps for a while, so it's good to see some work on this. But I don't think an /api/v1/auth/csrf endpoint is the way to do it. Personally, I would use a GET endpoint like /api/v1/me (or /api/v1/auth/session or something like that). The idea being that you're checking on the session and it returns a CSRF token with its response. But that thought then got me thinking... why do we expire tokens based on time? I suppose the idea is that if a token gets stolen that it expires after a certain amount of time, but 8 hours is a long time and really we're trying to authenticate that the request was made by the user's session. (This comes up a lot online and in places like OWASP "Should Timestamps be Included in CSRF Tokens for Expiration?": https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Pr... - although there is some mixed messages on per-request tokens on that cheatsheet.) I think the main reason we use time expiry is because WWW::CSRF forces us too. I'm just about to jump into a quick meeting but I'll return here shortly... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- So having just one CSRF token for the session would be interesting, but it is worth noting that printing this same token in the HTML could lead to a breach attack, which is why libraries will typically mask the token value so that it's not repeatable across multiple requests: https://metacpan.org/pod/WWW::CSRF https://docs.djangoproject.com/en/6.0/howto/csrf/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Think we've got some thinking to do on this one... Overall, we're basically already doing session-based CSRF tokens. Not sure that the time is adding anything of value but is actively harming usability significantly. Actually, looking at https://metacpan.org/pod/WWW::CSRF it looks like the default value of MaxAge is a week rather than 8 hours so maybe we just put that up to a high number... But then I think it's possible for a Koha session to last a very long time? Although I think cleanup_database.pl clears out sessions every day. So yeah still some thinking left to do, but i've got to hop into a few more meetings... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876 --- Comment #7 from Jonathan Druart <jonathan.druart@gmail.com> --- I think the patch resolved the original problem: do not force the user to refresh and get "random" 403. If we need to rethink how we handle CSRF tokens, it should be done on a separate bug. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org