Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: csrf check failed on public share with password #44369

Merged
merged 3 commits into from
Apr 2, 2024
Merged

fix: csrf check failed on public share with password #44369

merged 3 commits into from
Apr 2, 2024

Conversation

luka-nextcloud
Copy link
Contributor

@luka-nextcloud luka-nextcloud commented Mar 20, 2024
edited
Loading

Summary

"CSRF check failed" on public share with password

TODO

  • ...

Checklist

@luka-nextcloud luka-nextcloud self-assigned this Mar 20, 2024
@solracsf solracsf added this to the Nextcloud 29 milestone Mar 21, 2024
@solracsf solracsf added the 3. to review Waiting for reviews label Mar 21, 2024
@Altahrim Altahrim mentioned this pull request Mar 21, 2024
Merged
ChristophWurst
ChristophWurst reviewed Mar 21, 2024
View reviewed changes
core/js/publicshareauth.js Outdated
Comment on lines 57 to 69
document.addEventListener('DOMContentLoaded', function() {
var form = document.getElementById('password-input-form');
if (form) {
form.addEventListener('submit', async function(event) {
event.preventDefault();
var requestToken = document.getElementById('requesttoken');
if (requestToken) {
requestToken.value = await OC.fetchRequestToken();
}
form.submit();
});
}
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be possible to move this into a "modern" js module that goes through webpack? then you can import @nextcloud/router directly and we avoid adding a new property to the dated OC global

@ChristophWurst ChristophWurst requested review from a team, Pytal, szaimen and emoral435 and removed request for a team March 21, 2024 18:09
@Altahrim Altahrim mentioned this pull request Mar 25, 2024
Merged
ChristophWurst
ChristophWurst reviewed Mar 26, 2024
View reviewed changes
core/src/main.js
Comment on lines +63 to +67
if (requestToken) {
const url = generateUrl('/csrftoken')
const resp = await Axios.get(url)
requestToken.value = resp.data.token
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could use grab the currently known CSRF token from @nextcloud/auth to avoid the additional request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is for solving issue that the currently known CSRF token might not be the latest.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an existing CSRF token update mechanism that pulls a fresh token every 30 seconds. Is that not sufficient?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is not sufficient. User might submit form during the gap time and see the CSRF failed error randomly.

emoral435
emoral435 approved these changes Mar 26, 2024
View reviewed changes
Copy link
Contributor

@emoral435 emoral435 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a valid solution to me - however, haven't tested it fully

@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
Merged
81 tasks
@luka-nextcloud
fix: csrf check failed on public share with password
c08ab81 
Signed-off-by: Luka Trovic <luka@nextcloud.com>
@luka-nextcloud
fix: csrf check failed on public share with password
945828b 
Signed-off-by: Luka Trovic <luka@nextcloud.com>
@luka-nextcloud
feat: compile js
a42c68d 
Signed-off-by: Luka Trovic <luka@nextcloud.com>
@luka-nextcloud luka-nextcloud force-pushed the bugfix/csrf-failed-on-public-share-with-password branch from 6d5b7ea to a42c68d Compare March 29, 2024 08:51
@juliushaertl juliushaertl merged commit 31c6379 into master Apr 2, 2024
166 of 168 checks passed
@juliushaertl juliushaertl deleted the bugfix/csrf-failed-on-public-share-with-password branch April 2, 2024 07:59
@luka-nextcloud
Copy link
Contributor Author

@juliushaertl @ChristophWurst @Altahrim This PR was missed from the release.

@luka-nextcloud
Copy link
Contributor Author

/backport to stable29

@backportbot backportbot bot mentioned this pull request Jun 21, 2024
Merged
2 tasks
@blizzz blizzz mentioned this pull request Jul 24, 2024
Merged
This was referenced Aug 23, 2024
Merged
Merged
@blizzz blizzz modified the milestones: Nextcloud 29, Nextcloud 30 Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@emoral435 emoral435 emoral435 approved these changes

@Pytal Pytal Awaiting requested review from Pytal Pytal was automatically assigned from nextcloud/server-frontend

@szaimen szaimen Awaiting requested review from szaimen szaimen was automatically assigned from nextcloud/server-frontend

Assignees

@luka-nextcloud luka-nextcloud

Labels
3. to review Waiting for reviews feature: files feature: sharing
Projects
📝 Office team
Archived in project
Milestone
Nextcloud 30
Development

Successfully merging this pull request may close these issues.

[Bug]: CSRF check failed on public share with password
6 participants
@luka-nextcloud @ChristophWurst @emoral435 @blizzz @juliushaertl @solracsf