Skip to content

feat(auth): Add CSRF debug logging for login flow#107153

Merged
JoshFerge merged 2 commits intomasterfrom
jferg/csrf-debug-logging
Jan 28, 2026
Merged

feat(auth): Add CSRF debug logging for login flow#107153
JoshFerge merged 2 commits intomasterfrom
jferg/csrf-debug-logging

Conversation

@JoshFerge
Copy link
Member

@JoshFerge JoshFerge commented Jan 28, 2026
edited
Loading

Summary

Add debug logging to help diagnose CSRF token mismatches affecting staff/superusers on POST /auth/2fa/ with reason "CSRF token from POST incorrect".

Changes

src/sentry/web/frontend/base.py

  • Added csrf.auth_request logging in dispatch() for all /auth/* paths
  • Logs: path, method, csrf_cookie_hash, session_key_hash, user_id

src/sentry/web/frontend/csrf_failure.py

  • Enhanced csrf_failure logging with:
    • csrf_cookie_hash and csrf_post_token_hash (for comparison)
    • path, origin, user_agent
    • Preserved existing fields (reason, referer, user_id, etc.)

How to Debug

When a CSRF failure occurs, compare the logs:

  1. csrf.auth_request (on GET /auth/2fa/) - Shows csrf_cookie_hash at form render time
  2. csrf.auth_request (on POST /auth/2fa/) - Shows csrf_cookie_hash at submit time
  3. csrf_failure - Shows both csrf_cookie_hash and csrf_post_token_hash
Scenario Indicates
csrf_cookie_hash differs between GET and POST Cookie was overwritten (multi-tab hypothesis)
Hashes match but csrf_post_token_hash differs from csrf_cookie_hash Stale form token

Security

Only first 8 chars of SHA256 hashes are logged to avoid leaking sensitive token values.

Test Plan

  • Ran pytest tests/sentry/web/frontend/test_twofactor.py - 6 passed
  • Ran pytest tests/sentry/web/frontend/test_auth_login.py - 45 passed
  • Pre-commit hooks pass

@JoshFerge
feat(auth): Add CSRF debug logging for login flow
95d79da 
Add debug logging to help diagnose CSRF token mismatches affecting
staff/superusers on POST /auth/2fa/.

Changes:
- Log CSRF cookie hash and session key hash on all /auth/* requests
- Enhanced csrf_failure logging with cookie hash, POST token hash,
  origin, user-agent, and path

This allows comparing token hashes between form render (GET) and
submit (POST) to verify the multi-tab cookie overwrite hypothesis.

Only first 8 chars of SHA256 hashes are logged to avoid leaking
sensitive token values.
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jan 28, 2026
@JoshFerge JoshFerge marked this pull request as ready for review January 28, 2026 15:57
@JoshFerge JoshFerge requested review from a team and cathteng January 28, 2026 17:39
@JoshFerge JoshFerge merged commit 5069e8d into master Jan 28, 2026
67 checks passed
@JoshFerge JoshFerge deleted the jferg/csrf-debug-logging branch January 28, 2026 18:06
priscilawebdev pushed a commit that referenced this pull request Feb 2, 2026
@JoshFerge @priscilawebdev
feat(auth): Add CSRF debug logging for login flow (#107153)
d9cbbd3 
## Summary

Add debug logging to help diagnose CSRF token mismatches affecting
staff/superusers on `POST /auth/2fa/` with reason "CSRF token from POST
incorrect".

## Changes

**`src/sentry/web/frontend/base.py`**
- Added `csrf.auth_request` logging in `dispatch()` for all `/auth/*`
paths
- Logs: `path`, `method`, `csrf_cookie_hash`, `session_key_hash`,
`user_id`

**`src/sentry/web/frontend/csrf_failure.py`**
- Enhanced `csrf_failure` logging with:
  - `csrf_cookie_hash` and `csrf_post_token_hash` (for comparison)
  - `path`, `origin`, `user_agent`
  - Preserved existing fields (`reason`, `referer`, `user_id`, etc.)

## How to Debug

When a CSRF failure occurs, compare the logs:

1. **`csrf.auth_request`** (on GET /auth/2fa/) - Shows
`csrf_cookie_hash` at form render time
2. **`csrf.auth_request`** (on POST /auth/2fa/) - Shows
`csrf_cookie_hash` at submit time
3. **`csrf_failure`** - Shows both `csrf_cookie_hash` and
`csrf_post_token_hash`

| Scenario | Indicates |
|----------|-----------|
| `csrf_cookie_hash` differs between GET and POST | Cookie was
overwritten (multi-tab hypothesis) |
| Hashes match but `csrf_post_token_hash` differs from
`csrf_cookie_hash` | Stale form token |

## Security

Only first 8 chars of SHA256 hashes are logged to avoid leaking
sensitive token values.

## Test Plan

- [x] Ran `pytest tests/sentry/web/frontend/test_twofactor.py` - 6
passed
- [x] Ran `pytest tests/sentry/web/frontend/test_auth_login.py` - 45
passed
- [x] Pre-commit hooks pass
@github-actions github-actions bot locked and limited conversation to collaborators Feb 13, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@dcramer dcramer dcramer approved these changes

@cathteng cathteng Awaiting requested review from cathteng

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JoshFerge @dcramer