New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lock down cookie based authentication on API endpoints #7028
Labels
Comments
wardi
changed the title
Look down cookie based authentication on API endpoints
Lock down cookie based authentication on API endpoints
Aug 23, 2022
@TomeCirun you were kindly volunteered to work on this by @tino097 :) Let's start with the first point. I think what we need to do is:
Does this make sense? |
5 tasks
amercader
added a commit
that referenced
this issue
Sep 15, 2022
Refs #7028 Site maintainers can choose to completely ignore cookie based authentication for API calls. When `ckan.auth.disable_cookie_auth_in_api` is set to False, if there is a user identified via the cookie and it is an API request, it will be ignored entirely and CKAN will fall back to token based authentication. This will probably break some JS widgets and view plugins from the frontend so it should be used with caution.
amercader
added a commit
that referenced
this issue
Sep 16, 2022
amercader
added a commit
that referenced
this issue
Sep 19, 2022
smotornyuk
added a commit
that referenced
this issue
Sep 19, 2022
…h-in-api [#7028] Allow to shut down cookie based auth for API entirely
amercader
added a commit
that referenced
this issue
Sep 22, 2022
amercader
added a commit
that referenced
this issue
Sep 22, 2022
amercader
added a commit
that referenced
this issue
Sep 29, 2022
amercader
added a commit
that referenced
this issue
Sep 29, 2022
The request.endpoint does not always match the actual view function, eg organization.edit or custom_group.edit both point to group.edit, which is what the csrf library expects in the exempt list
amercader
added a commit
that referenced
this issue
Sep 29, 2022
If we mock the logged in user directly, the CSRF validation fails. Using environ_overrides with {"REMOTE_USER": name} or {"Authorization": token} bypasses the CSRF protection. In these cases we need to use the REMOTE_USER variant because the Authorization header is not passed to redirects, so we can't get the final request content to test it
amercader
added a commit
that referenced
this issue
Sep 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Discussed on 2022-08-23 dev meeting:
@csrf.exempt
decorator here?@wardi @EricSoroos did I capture that correctly?
The text was updated successfully, but these errors were encountered: