Skip to content

fix: csrf check failed on public share with password#44369

Merged
juliusknorr merged 3 commits intomasterfrom
bugfix/csrf-failed-on-public-share-with-password
Apr 2, 2024
Merged

fix: csrf check failed on public share with password#44369
juliusknorr merged 3 commits intomasterfrom
bugfix/csrf-failed-on-public-share-with-password

Conversation

@luka-nextcloud
Copy link
Contributor

@luka-nextcloud luka-nextcloud commented Mar 20, 2024
edited
Loading

Summary

"CSRF check failed" on public share with password

TODO

  • ...

Checklist

@luka-nextcloud luka-nextcloud self-assigned this Mar 20, 2024
@solracsf solracsf added this to the Nextcloud 29 milestone Mar 21, 2024
@solracsf solracsf added the 3. to review Waiting for reviews label Mar 21, 2024
@Altahrim Altahrim mentioned this pull request Mar 21, 2024
Merged
ChristophWurst
ChristophWurst reviewed Mar 21, 2024
View reviewed changes
core/js/publicshareauth.js Outdated
Comment on lines 57 to 69
document.addEventListener('DOMContentLoaded', function() {
var form = document.getElementById('password-input-form');
if (form) {
form.addEventListener('submit', async function(event) {
event.preventDefault();
var requestToken = document.getElementById('requesttoken');
if (requestToken) {
requestToken.value = await OC.fetchRequestToken();
}
form.submit();
});
}
});
Copy link
Member

@ChristophWurst ChristophWurst Mar 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be possible to move this into a "modern" js module that goes through webpack? then you can import @nextcloud/router directly and we avoid adding a new property to the dated OC global

@ChristophWurst ChristophWurst requested review from a team, Pytal, emoral435 and szaimen and removed request for a team March 21, 2024 18:09
@Altahrim Altahrim mentioned this pull request Mar 25, 2024
Merged
ChristophWurst
ChristophWurst reviewed Mar 26, 2024
View reviewed changes
core/src/main.js
Comment on lines +63 to +67
if (requestToken) {
const url = generateUrl('/csrftoken')
const resp = await Axios.get(url)
requestToken.value = resp.data.token
}
Copy link
Member

@ChristophWurst ChristophWurst Mar 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could use grab the currently known CSRF token from @nextcloud/auth to avoid the additional request?

Copy link
Contributor Author

@luka-nextcloud luka-nextcloud Mar 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is for solving issue that the currently known CSRF token might not be the latest.

Copy link
Member

@ChristophWurst ChristophWurst Mar 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an existing CSRF token update mechanism that pulls a fresh token every 30 seconds. Is that not sufficient?

Copy link
Contributor Author

@luka-nextcloud luka-nextcloud Mar 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is not sufficient. User might submit form during the gap time and see the CSRF failed error randomly.

emoral435
emoral435 approved these changes Mar 26, 2024
View reviewed changes
Copy link
Contributor

@emoral435 emoral435 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a valid solution to me - however, haven't tested it fully

@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
Merged
81 tasks
@luka-nextcloud
fix: csrf check failed on public share with password
c08ab81 
Signed-off-by: Luka Trovic <luka@nextcloud.com>
@luka-nextcloud
fix: csrf check failed on public share with password
945828b 
Signed-off-by: Luka Trovic <luka@nextcloud.com>
@luka-nextcloud
feat: compile js
a42c68d 
Signed-off-by: Luka Trovic <luka@nextcloud.com>
@luka-nextcloud luka-nextcloud force-pushed the bugfix/csrf-failed-on-public-share-with-password branch from 6d5b7ea to a42c68d Compare March 29, 2024 08:51
@juliusknorr juliusknorr merged commit 31c6379 into master Apr 2, 2024
@juliusknorr juliusknorr deleted the bugfix/csrf-failed-on-public-share-with-password branch April 2, 2024 07:59
@luka-nextcloud
Copy link
Contributor Author

luka-nextcloud commented Jun 19, 2024

@juliushaertl @ChristophWurst @Altahrim This PR was missed from the release.

@luka-nextcloud
Copy link
Contributor Author

luka-nextcloud commented Jun 21, 2024

/backport to stable29

@backportbot backportbot bot mentioned this pull request Jun 21, 2024
Merged
2 tasks
@blizzz blizzz mentioned this pull request Jul 24, 2024
Merged
This was referenced Aug 23, 2024
Merged
Merged
@blizzz blizzz modified the milestones: Nextcloud 29, Nextcloud 30 Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@Pytal Pytal Awaiting requested review from Pytal Pytal is a code owner automatically assigned from nextcloud/server-frontend

@szaimen szaimen Awaiting requested review from szaimen szaimen is a code owner automatically assigned from nextcloud/server-frontend

+1 more reviewer

@emoral435 emoral435 emoral435 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@luka-nextcloud luka-nextcloud

Labels

3. to review Waiting for reviews feature: files feature: sharing

Projects

📝 Office team
Archived in project

Milestone

Nextcloud 30

Development

Successfully merging this pull request may close these issues.

[Bug]: CSRF check failed on public share with password

6 participants

@luka-nextcloud @ChristophWurst @emoral435 @blizzz @juliusknorr @solracsf