-
-
Notifications
You must be signed in to change notification settings - Fork 264
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] CSRF Validation broken since 2.0.0 #1011
Comments
Are you accessing through https? |
Same issue here. It can be worked around by editing settings.json and changing: Docker running as:
With caddy running a reverse proxy (with SSL/letsencrypt):
|
If you have csrfProtection enabled you cannot use jellyseerr through http. You'll need to access through https |
Yes, my jellyseerr instance is accessed via Https. It's running behind a Reverse Proxy using a lets encrypt SSL cert and the Domain i have it is behind cloudflare with cloudflares cert. Also this issue only started to appear after i Upgrades to v2.0.0 Without me changing any config, this wasnt an issue before. |
Same here, running via HTTPS, CSRF verification is failing. |
Hello, For now, you can disable CSRF validation if you wish to remain on version 2.0.0 (be aware of the CSRF attack risks). Otherwise, you can roll back to version 1.9.2. I've investigated the issue with @Fallenbagel and identified the cause. The issue originates from this PR. Axios automatically sets the Axios magic : https://github.com/axios/axios/blob/v1.x/lib/helpers/resolveConfig.js#L38-L56 |
During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an "invalid CSRF token" error for users accessing the app even via HTTPS. This commit introduces the `apiFetch` utility to ensure that the CSRF token is included in all requests. fix #1011
During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an "invalid CSRF token" error for users accessing the app even via HTTPS. This commit overrides fetch to ensure that the CSRF token is included in all requests. fix #1011
…1014) During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an "invalid CSRF token" error for users accessing the app even via HTTPS. This commit overrides fetch to ensure that the CSRF token is included in all requests. fix #1011
🎉 This issue has been resolved in version 2.0.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
…allenbagel#1014) During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an "invalid CSRF token" error for users accessing the app even via HTTPS. This commit overrides fetch to ensure that the CSRF token is included in all requests. fix Fallenbagel#1011
…allenbagel#1014) During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an "invalid CSRF token" error for users accessing the app even via HTTPS. This commit overrides fetch to ensure that the CSRF token is included in all requests. fix Fallenbagel#1011
Description
i Have CSRF Protection enabled and my Jellyseerr behind reverse proxy, after upgrading to 2.0.0 every request fails with
{ "message": "invalid csrf token" }
and the http status code 403, this only started happening after upgrading to 2.0.0
Version
2.0.0
Steps to Reproduce
Screenshots
No response
Logs
No response
Platform
desktop
Device
Windows
Operating System
Windows 11
Browser
Chrome
Additional Context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: