Persona login fails with 403 Forbidden: CSRF verification failed

RESOLVED FIXED

Status

Tree Management
Treeherder
P1
normal
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: Sami Jaktholm, Assigned: mdoglio)

Tracking

Details

Attachments

(1 attachment)

46 bytes, text/x-github-pull-request
emorley
: review+
Details | Review | Splinter Review
(Reporter)

Description

3 years ago
STR:
1. Login to Treeherder with Persona from the top-left corner of the UI.

Expected results: I'm authenticated and can perform tasks that require authentication.

Actual results: The login fails silently with the following response body for /browserid/login/:
> Forbidden <span>(403)
> 
> CSRF verification failed. Request aborted.
> 
> You are seeing this message because this site requires a CSRF cookie
> when submitting forms. This cookie is required for security reasons,
> to ensure that your browser is not being hijacked by third parties.
> 
> If you have configured your browser to disable cookies, please 
> re-enable them, at least for this site, or for 'same-origin' requests.

Further information:
- This failure occurs also with a clean profile for both Firefox 40 and Chromium 44.
- I'm not a Mozilla employee but the email I'm using to log into Persona is the same as for my level 1 commit access LDAP account (see my BMO email).
- I've successfully logged in to Treeherder previously.
- The request to browserid/login does not contain any cookies.

The request headers are:
> POST /browserid/login/ HTTP/1.1
> Host: treeherder.mozilla.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
> Accept: application/json, text/plain, */*
> Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> DNT: 1
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Referer: https://treeherder.mozilla.org/
> Content-Length: 1838
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache

And the response headers:

> HTTP/1.1 403 FORBIDDEN
> Server: gunicorn/19.3.0
> X-Backend-Server: treeherder1.webapp.scl3.mozilla.com
> Vary: Accept-Encoding
> Cache-Control: max-age=900
> Content-Type: text/html; charset=UTF-8
> Content-Encoding: gzip
> Date: Sun, 23 Aug 2015 04:15:00 GMT
> Keep-Alive: timeout=5, max=1000
> Expires: Sun, 23 Aug 2015 04:30:00 GMT
> Transfer-Encoding: chunked
> Connection: Keep-Alive

This seems to be very similar to bug 1197368 but since that only talks about creating a new account, I though to log a separate one.

Comment 1

2 years ago
I can repro too.

STR:
1) Open private browsing mode (to ensure no existing cookies set)
2) Try to log into Treeherder prod using persona (in my case with a moco email)

-> Not logged in, and 403s shown in console.

Guessing due to bug 1159167.
Blocks: 1159167
Flags: needinfo?(mdoglio)
Priority: -- → P1

Updated

2 years ago
Duplicate of this bug: 1197368

Comment 3

2 years ago
Yeah, our UI code is missing the equivalent of:
https://github.com/mozilla/django-browserid/blob/6afc97aecb18343ad1db031c5399a3ae033c5124/django_browserid/static/browserid/api.js#L95-L101

I think we should be using api.js rather than rolling our own, along the lines of:
http://django-browserid.readthedocs.org/en/latest/user/customization.html#using-the-javascript-api

To use this, we'll need to add ``include('django_browserid.urls')`` to urls.py, per:
http://django-browserid.readthedocs.org/en/latest/user/quickstart.html#configuration

Updated

2 years ago
Depends on: 1197552
(Assignee)

Comment 4

2 years ago
Created attachment 8651880 [details] [review]
PR 902
Assignee: nobody → mdoglio
Status: NEW → ASSIGNED
Flags: needinfo?(mdoglio)
Attachment #8651880 - Flags: review?(emorley)

Comment 5

2 years ago
Comment on attachment 8651880 [details] [review]
PR 902

Thank you :-)
Attachment #8651880 - Flags: review?(emorley) → review+
Seems to be working fine now on stage post-push. I can login/out using Persona-gmail fine with Nightly and Chrome.

Updated

2 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.