400 Bad Request (AuthSecurityException) on login form, latest development branch

[groovenectar]

A video of the issue: https://i.vgy.me/nn2al7.mp4

Fresh install of Cake 3.8, and using the documentation from the develop branch

The error seems to come from vendor/cakephp/cakephp/src/Controller/Component/SecurityComponent.php in the _validatePost() method:

    /**
     * Validate submitted form
     *
     * @param \Cake\Controller\Controller $controller Instantiating controller
     * @throws \Cake\Controller\Exception\AuthSecurityException
     * @return bool true if submitted form is valid
     */
    protected function _validatePost(Controller $controller)
    {
        $token = $this->_validToken($controller);
        $hashParts = $this->_hashParts($controller);
        $check = hash_hmac('sha1', implode('', $hashParts), Security::getSalt());

        if (hash_equals($check, $token)) {
            return true;
        }

        $msg = self::DEFAULT_EXCEPTION_MESSAGE;
        if (Configure::read('debug')) {
            $msg = $this->_debugPostTokenNotMatching($controller, $hashParts);
        }

        throw new AuthSecurityException($msg);
    }

The hash_equals check is always returning false.

Even if I edit the login.ctp and add:

$this->Form->unlockField('username');
$this->Form->unlockField('password');
$this->Form->unlockField('remember_me');

It still happens. It appears that the user is logged in, but it doesn't POST properly.

In ./vendor/cakedc/users/src/Controller/AppController.php, if I comment out this line:

//$this->loadComponent('Security');

There is no error, but I'm trying to figure out why the default configuration breaks with the Security Component enabled...

Edit: I also tried downgrading to Cake 3.7, with the same result...

[rochamarcelo]

This is an chrome issue related, the browser was making some additional request every time you post data without using 'https', it worked well using a new chrome user profile.

[groovenectar]

I am experiencing it exactly the same in FF as well, using HTTPS on localhost (Docker environment)...

Also discovered something related to Debug mode / DebugKit...

Adding this (or some variation) to the default permissions.php might be useful:

[
    'role' => '*',
    'plugin' => 'DebugKit',
    'controller' => '*',
    'action' => '*',
    'bypassAuth' => true,
],

Or conditionally added with if (Configure::read('debug'))

That prevents the debug toolbar from showing the login. I suspected that's what causes it, but it doesn't seem to have an effect

[groovenectar]

But I experience the issue with and without Debug enabled in app.php... It would seem unlikely that it's a browser-specific issue?

I tried it on another Chrome profile as well -- not a new one, but one that hadn't visited the URL before. Also Incognito mode, of course... I get the error every time

[groovenectar]

Here's a screenshot of the Network tab in FF, including the first load of the /login page:

Are you saying that in Chrome, you're seeing more than one POST request?

[rochamarcelo]

I checked ngninx logs and it was sending two request on submit the form, one GET and one POST request.

Also this happens for any page with form, tested without the plugin and got same results.

You could also test using nginx and check the access log.

[groovenectar]

Ah thanks, I'll check those logs.. That said, sounds like a potential issue with Cake!

[steinkel]

@groovenectar I did some checks yesterday too, but I was not able to reproduce the issue. Could you please zip & share the project (if it's a test app) and I'll use exactly your configured docker environment here to reproduce the issue?

Thanks,

[groovenectar]

Sure thing @steinkel, I'll look for you in the channel and send encrypted zip

[groovenectar]

@rochamarcelo Here are my Nginx access logs when I go to login using FF (I do get the Bad Request):

172.17.0.1 - - [24/Sep/2019:14:03:25 +0000] "GET /login?redirect=https%3A%2F%2Flocalhost%3A4720%2F HTTP/1.1" 200 1127 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
172.17.0.1 - - [24/Sep/2019:14:03:25 +0000] "GET /css/base.css HTTP/1.1" 304 0 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
172.17.0.1 - - [24/Sep/2019:14:03:25 +0000] "GET /css/style.css HTTP/1.1" 304 0 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
172.17.0.1 - - [24/Sep/2019:14:03:40 +0000] "POST /login?redirect=https%3A%2F%2Flocalhost%3A4720%2F HTTP/1.1" 400 866 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"

And in Chrome:

172.17.0.1 - - [24/Sep/2019:14:04:47 +0000] "GET /login?redirect=https%3A%2F%2Flocalhost%3A4720%2F HTTP/1.1" 200 1123 "-" "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.85 Safari/537.36"
172.17.0.1 - - [24/Sep/2019:14:04:47 +0000] "GET /css/base.css HTTP/1.1" 200 167643 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.85 Safari/537.36"
172.17.0.1 - - [24/Sep/2019:14:04:47 +0000] "GET /css/style.css HTTP/1.1" 200 8661 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.85 Safari/537.36"
172.17.0.1 - - [24/Sep/2019:14:05:07 +0000] "POST /login?redirect=https%3A%2F%2Flocalhost%3A4720%2F HTTP/1.1" 400 866 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.85 Safari/537.36"
172.17.0.1 - - [24/Sep/2019:14:05:07 +0000] "GET /css/base.css HTTP/1.1" 200 167643 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.85 Safari/537.36"
172.17.0.1 - - [24/Sep/2019:14:05:07 +0000] "GET /css/style.css HTTP/1.1" 200 8661 "https://localhost:4720/login?redirect=https%3A%2F%2Flocalhost%3A4720%2F" "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.85 Safari/537.36"

The only difference with Chrome is that it reloads the CSS on the error page... This is with debug mode off

[japita-se]

Same here: CakePhp 3.8.
If I use stealt navigation, I get the Bad Request. But only in Chrome:
FF, Opera, no issue.

[rochamarcelo]

For CakePHP 3.8 I suggest you to use any 8.x version of users plugin and the 9.x version for CakePHP 4