Production doesn't login after confirmation but dev server does #829
Comments
|
The default behavior changed in 5.3 - any chance you have an older version on your dev? |
|
Your help is much appreciated! The requirements.txt and both environments' site-packages reads 5.3.0. I did find another curious error. I thought to recommend my incoming batch of new users reset their passwords so that they might login but if they try they can an error: This error occurs when resetting new and established accounts only in production and not in dev. Could it be connected to the stuttering confirmation emails? Thank you kindly. |
|
Hmm as mentioned in the release notes - reset and confirm now set the no-referrer header as suggested by OWASP - possibly I interpreted that incorrectly. You might try downgrading to 5.2.x and see if your issues go away |
|
Yes, thanks! The rollback has my service back online, ready for the first day of school. Thanks again. |
|
Glad things are working - if you have a chance - could you check your NGINX configuration to see if it explicitly denying requests with no referrer (and maybe any ideas on why?). Any additional info would be appreaciated. |
|
I've crawled over my nginx |
|
Quick searching shows that $http_referer would be the variable to look for. I guess it's worth making absolutely sure it is NGINX that is throwing that error and not other part of your stack... |
|
I ran into this exact issue and I think I know what the root cause is: there's an incompatibility between Flask-Security and Flask-WTF. The latter has a built-in CSRF verification that works differently under HTTPS (current version is 1.1.1) - see if request.is_secure and current_app.config["WTF_CSRF_SSL_STRICT"]:
if not request.referrer:
self._error_response("The referrer header is missing.")
good_referrer = f"https://{request.host}/"
if not same_origin(request.referrer, good_referrer):
self._error_response("The referrer does not match the host.")That's probably where you are getting your error. I manage to fix it by setting |
|
Thanks for the tip - will look into that - SSL_STRICT doesn't disable CSRF - just same-origin validation - but I agree FS shouldn't require that. Those redirects shouldn't be form-driven - so possibly I implemented the no-referrer at the wrong place.... |
Although OWASP still recommends that reset password and confirmation links have the no-referrer header option set - this causes issues with HTTPS and Flask-WTF that requires a referrer header. Also - for the past 5 years, the browser default for Referrer-Policy is 'strict-origin-when-cross-origin' which should be enough to mitigate any possible Referrer leakage. closes #829
Although OWASP still recommends that reset password and confirmation links have the no-referrer header option set - this causes issues with HTTPS and Flask-WTF that requires a referrer header. Also - for the past 5 years, the browser default for Referrer-Policy is 'strict-origin-when-cross-origin' which should be enough to mitigate any possible Referrer leakage. closes #829
When I invite a new user using my local development environment, the confirmation link successfully logs in the new user. However, the exact same software running on my production environment flashes a successful confirmation message but redirects to the login page instead. The only thing that I can think of that has changed is that I upgraded my Nginx service in my production environment. Any idea what setting might be adjusted to fix this situation?
Video explanation
The text was updated successfully, but these errors were encountered: