Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] CSRF Validation broken since 2.0.0 #1011

Closed
1 task done
DevYukine opened this issue Oct 16, 2024 · 7 comments · Fixed by #1014
Closed
1 task done

[Bug] CSRF Validation broken since 2.0.0 #1011

DevYukine opened this issue Oct 16, 2024 · 7 comments · Fixed by #1014
Labels
bug Something isn't working confirmed This bug has been reproduced released

Comments

@DevYukine
Copy link

Description

i Have CSRF Protection enabled and my Jellyseerr behind reverse proxy, after upgrading to 2.0.0 every request fails with

{ "message": "invalid csrf token" }

and the http status code 403, this only started happening after upgrading to 2.0.0

Version

2.0.0

Steps to Reproduce

  1. Enable CSRF-Protection
  2. Make sure you have version 2.0.0 running
  3. Try to request anything or save the settings

Screenshots

No response

Logs

No response

Platform

desktop

Device

Windows

Operating System

Windows 11

Browser

Chrome

Additional Context

No response

Code of Conduct

  • I agree to follow Jellyseerr's Code of Conduct
@DevYukine DevYukine added awaiting triage This issue needs to be reviewed bug Something isn't working labels Oct 16, 2024
@Fallenbagel
Copy link
Owner

Are you accessing through https?

@r0astch1ck3n
Copy link

r0astch1ck3n commented Oct 16, 2024

Same issue here. It can be worked around by editing settings.json and changing:
"csrfProtection" from true to false.

Docker running as:

docker run -d --name jellyseerr -e LOG_LEVEL=debug -e TZ=Europe/London -p 5055:5055 -v /opt/jellyseerr/appdata/config:/app/config --restart unless-stopped fallenbagel/jellyseerr:latest

With caddy running a reverse proxy (with SSL/letsencrypt):

reverse_proxy localhost:5055

@Fallenbagel
Copy link
Owner

Fallenbagel commented Oct 16, 2024

If you have csrfProtection enabled you cannot use jellyseerr through http. You'll need to access through https

@DevYukine
Copy link
Author

Are you accessing through https?

Yes, my jellyseerr instance is accessed via Https.

It's running behind a Reverse Proxy using a lets encrypt SSL cert and the Domain i have it is behind cloudflare with cloudflares cert.

Also this issue only started to appear after i Upgrades to v2.0.0 Without me changing any config, this wasnt an issue before.

@osh123
Copy link
Contributor

osh123 commented Oct 16, 2024

Same here, running via HTTPS, CSRF verification is failing.

@Fallenbagel Fallenbagel added confirmed This bug has been reproduced and removed awaiting triage This issue needs to be reviewed labels Oct 16, 2024
@M0NsTeRRR
Copy link
Contributor

M0NsTeRRR commented Oct 16, 2024

Hello,

For now, you can disable CSRF validation if you wish to remain on version 2.0.0 (be aware of the CSRF attack risks). Otherwise, you can roll back to version 1.9.2. I've investigated the issue with @Fallenbagel and identified the cause.

The issue originates from this PR. Axios automatically sets the XSRF-TOKEN, but fetch does not. A PR is currently a work in progress, and the fix is already known — just a bit more waiting is required :)

Axios magic : https://github.com/axios/axios/blob/v1.x/lib/helpers/resolveConfig.js#L38-L56

Fallenbagel added a commit that referenced this issue Oct 16, 2024
During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled
CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an
"invalid CSRF token" error for users accessing the app even via HTTPS. This commit introduces the
`apiFetch` utility to ensure that the CSRF token is included in all requests.

fix #1011
Fallenbagel added a commit that referenced this issue Oct 16, 2024
During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled
CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an
"invalid CSRF token" error for users accessing the app even via HTTPS. This commit
overrides fetch to ensure that the CSRF token is included in all requests.

fix #1011
Fallenbagel added a commit that referenced this issue Oct 16, 2024
…1014)

During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled
CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an
"invalid CSRF token" error for users accessing the app even via HTTPS. This commit
overrides fetch to ensure that the CSRF token is included in all requests.

fix #1011
@Fallenbagel
Copy link
Owner

🎉 This issue has been resolved in version 2.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

bonswouar pushed a commit to bonswouar/jellyseerr that referenced this issue Nov 10, 2024
…allenbagel#1014)

During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled
CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an
"invalid CSRF token" error for users accessing the app even via HTTPS. This commit
overrides fetch to ensure that the CSRF token is included in all requests.

fix Fallenbagel#1011
thibodelanghe pushed a commit to thibodelanghe/jellyseerr that referenced this issue Dec 18, 2024
…allenbagel#1014)

During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled
CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an
"invalid CSRF token" error for users accessing the app even via HTTPS. This commit
overrides fetch to ensure that the CSRF token is included in all requests.

fix Fallenbagel#1011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working confirmed This bug has been reproduced released
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants