-
-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(auth): Add optional CSRF protection #697
Conversation
This pull request fixes 1 alert when merging 52e8d50 into e80920f - view on LGTM.com fixed alerts:
|
What will happen with external api access if we add this, though? Also, adding the middleware by itself isn't enough right? We would have to actually generate the tokens and inject them into the login page? |
@sct If you test it out, you'll see the token is automatically generated and put in the |
Are you accessing it externally with an API key or with cookies? Can you try logging out entirely and accessing it again with all your cookies cleared? Using only your API key? |
@sct Wait, found an issue. Will investigate and fix |
@sct Oops, sorry I fell asleep last night before I could fix this! But I believe everything should be working as expected now (login with & without the relevant cookies, accessing API externally using token, and setting up a new install). |
This pull request fixes 1 alert when merging 942ee2f into 2bfab5e - view on LGTM.com fixed alerts:
|
If we always generate an Maybe I am not understanding something. |
@sct So I'm totally new to this, but spent some time yesterday doing some searching/reading about the topic. This PR is supposed to implement the "double submit cookie pattern." More info: https://stackoverflow.com/questions/34782493/difference-between-csrf-and-x-csrf-token |
This pull request fixes 1 alert when merging f87599b into 2bfab5e - view on LGTM.com fixed alerts:
|
Okay. My final concern is that some services may not support cookies or they are setting their own cookies to log in. I know the Organizr SSO is creating its own cookie separate from ours. I'm partly worried they won't have the CSRF cookie. |
@sct I personally don't use Organizr; but I'll rebase and rebuild, then do some testing with Organizr and report back. Let me know if there's anything else that needs to be tested that I didn't think of. |
@sct Okay, so I took a look at Organizr. Their SSO unfortunately won't work if CSRF protection is added to Overseerr. The CSRF cookie is required to prevent I guess you'll have to make a decision here as to what is more important. I personally prefer to have CSRF protection, but I don't know if Organizer SSO is a must-have feature for other Overseerr users. |
Yes. It's a must-have. A ton of people in the community use Organizr (myself included). But it doesn't just stop with Organizr. Any 3rd party apps that want to interface with the Overseerr API will not be able to. We already have a home assistant integration, that would break from this as well. Discord bots/phone apps/and so on. CSRF doesn't really work when one of the major points of your API is to allow cross-server requests. |
@sct How about adding a setting so that users can enable/disable CSRF protection? |
Sure, an option for it is fine. |
This pull request introduces 1 alert and fixes 1 when merging c626dde into 2f75c4c - view on LGTM.com new alerts:
fixed alerts:
|
Oops, didn't catch that while rebasing. @sct I've added a setting option and tested it, but when changed Overseerr needs to be reloaded. What's the best way to handle that? |
This pull request fixes 1 alert when merging 8429ac4 into 2f75c4c - view on LGTM.com fixed alerts:
|
This pull request fixes 1 alert when merging 568b0d9 into 2f75c4c - view on LGTM.com fixed alerts:
|
@ankarhem Honestly I feel like they should be on two separate lines. But the tips in other places aren't complete sentences and don't end in punctuation, so I thought this was the best way to handle it since it's two independent clauses. Alternatively, I could change it to:
Let me know what you think! |
@sct wants parentheses, so parentheses it is! |
This pull request fixes 1 alert when merging 1cbb77a into 2f75c4c - view on LGTM.com fixed alerts:
|
This pull request fixes 1 alert when merging ef7afda into 2f75c4c - view on LGTM.com fixed alerts:
|
Resolves LGTM alert/error for query js/missing-token-validation More info: https://lgtm.com/rules/1506064038914/
This pull request fixes 1 alert when merging 19818d1 into 4b0241c - view on LGTM.com fixed alerts:
|
🎉 This PR is included in version 1.18.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Description
Resolves LGTM alert/error for query
js/missing-token-validation
More info: https://lgtm.com/rules/1506064038914/
Screenshot (if UI related)
Result when trying to log in without CSRF cookie: