CSRF middleware: Add flag to skip login cookie check #66806
Conversation
PoorlyDefinedBehaviour
requested review from
torkelo,
a team and
chri2547
as code owners
PoorlyDefinedBehaviour
requested review from
papagian,
zserge and
suntala
and removed request for
a team
PoorlyDefinedBehaviour
force-pushed
the
poorlydefinedbehaviour/add_flag_to_disable_skip_csrf_check_if_login_cookie_is_not_present
branch
from
8f795b0
to
3c81822
Compare
conf/defaults.ini
Outdated
| @@ -369,6 +369,9 @@ content_security_policy_report_only_template = """script-src 'self' 'unsafe-eval | |||
| # Controls if old angular plugins are supported or not. This will be disabled by default in future release | |||
| angular_support_enabled = true | |||
|
|
|||
| # The CSRF check will be skipped if the login cookie is not present when this value is set to true. | |||
| csrf_skip_check_if_login_cookie_not_present = true | |||
There was a problem hiding this comment.
would be it be possible to turn this into a positive option instead of a negative one?
Examples:
csrf_login_only_check
or
csrf_always_check
There was a problem hiding this comment.
Yes, we can change to csrf_always_check or csrf_login_only_check.
Should we default to always checking? (the current behavior doesn't always check)
There was a problem hiding this comment.
Changed the name to csrf_always_check and defaulted it to false. Let me know if it should default to true(breaking the current behavior)
There was a problem hiding this comment.
let's keep it csrf_always_check=false as default for now, we can investigate bringing it as a default to true
There was a problem hiding this comment.
Hi! Just my 2 cents here: the default behavior should be the same as before, this is a request from one of our external partners, which uses a auth proxy in front of grafana, and therefore the cookie is not set. So, in fact, we don't really want our default/current value to change, but just give them the ability to adapt it.
PoorlyDefinedBehaviour
force-pushed
the
poorlydefinedbehaviour/add_flag_to_disable_skip_csrf_check_if_login_cookie_is_not_present
branch
from
3c81822
to
ccfc6fc
Compare
There was a problem hiding this comment.
I think there is some inconsistency with the default value in the configuration files (defaults and samples), the configuration and the fallback value (MustBool()) when the setting is read.
conf/defaults.ini
Outdated
| @@ -369,6 +369,9 @@ content_security_policy_report_only_template = """script-src 'self' 'unsafe-eval | |||
| # Controls if old angular plugins are supported or not. This will be disabled by default in future release | |||
| angular_support_enabled = true | |||
|
|
|||
| # The CSRF check will be executed even if the request has no login cookie. | |||
| csrf_always_check = true | |||
There was a problem hiding this comment.
| csrf_always_check = true | |
| csrf_always_check = false |
align with @papagian's comment
PoorlyDefinedBehaviour
force-pushed
the
poorlydefinedbehaviour/add_flag_to_disable_skip_csrf_check_if_login_cookie_is_not_present
branch
from
ccfc6fc
to
d061444
Compare
Jguer
changed the title
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
PoorlyDefinedBehaviour
deleted the
poorlydefinedbehaviour/add_flag_to_disable_skip_csrf_check_if_login_cookie_is_not_present
branch
|
Hi @zerok, @taleena and @PoorlyDefinedBehaviour, I found the v9.5.5 doesn't cover the update, v10.x includes. I wonder when will include the fix in v9.X? |
What is this feature?
Adds a flag that when set to false, makes the CSRF middleware proceed with the CSRF check even if the login cookie is not present.
Flag defaults to
falseto preserve the current behavior.Why do we need this feature?
When using auth proxy, there's no cookie header in requests which causes the CSRF check in the CSRF middleware to be skipped. Some customers would like to execute the CSRF check anyway.
Who is this feature for?
[Add information on what kind of user the feature is for.]
Which issue(s) does this PR fix?:
Issue 144 for one of the enteprise customers.
Special notes for your reviewer:
Please check that: