Closed Bug 1197550 Opened 10 years ago Closed 10 years ago

Persona login fails with 403 Forbidden: CSRF verification failed

Categories

(Tree Management :: Treeherder, defect, P1)

Product:
Tree Management
Component:
Treeherder
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sjakthol, Assigned: mdoglio)

References

Details

Attachments

(1 file)

PR 902
46 bytes, text/x-github-pull-request
emorley
: review+
Details | Review
STR: 1. Login to Treeherder with Persona from the top-left corner of the UI. Expected results: I'm authenticated and can perform tasks that require authentication. Actual results: The login fails silently with the following response body for /browserid/login/: > Forbidden <span>(403) > > CSRF verification failed. Request aborted. > > You are seeing this message because this site requires a CSRF cookie > when submitting forms. This cookie is required for security reasons, > to ensure that your browser is not being hijacked by third parties. > > If you have configured your browser to disable cookies, please > re-enable them, at least for this site, or for 'same-origin' requests. Further information: - This failure occurs also with a clean profile for both Firefox 40 and Chromium 44. - I'm not a Mozilla employee but the email I'm using to log into Persona is the same as for my level 1 commit access LDAP account (see my BMO email). - I've successfully logged in to Treeherder previously. - The request to browserid/login does not contain any cookies. The request headers are: > POST /browserid/login/ HTTP/1.1 > Host: treeherder.mozilla.org > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 > Accept: application/json, text/plain, */* > Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.5,en;q=0.3 > Accept-Encoding: gzip, deflate > DNT: 1 > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > Referer: https://treeherder.mozilla.org/ > Content-Length: 1838 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache And the response headers: > HTTP/1.1 403 FORBIDDEN > Server: gunicorn/19.3.0 > X-Backend-Server: treeherder1.webapp.scl3.mozilla.com > Vary: Accept-Encoding > Cache-Control: max-age=900 > Content-Type: text/html; charset=UTF-8 > Content-Encoding: gzip > Date: Sun, 23 Aug 2015 04:15:00 GMT > Keep-Alive: timeout=5, max=1000 > Expires: Sun, 23 Aug 2015 04:30:00 GMT > Transfer-Encoding: chunked > Connection: Keep-Alive This seems to be very similar to bug 1197368 but since that only talks about creating a new account, I though to log a separate one.
I can repro too. STR: 1) Open private browsing mode (to ensure no existing cookies set) 2) Try to log into Treeherder prod using persona (in my case with a moco email) -> Not logged in, and 403s shown in console. Guessing due to bug 1159167.
Blocks: 1159167
Flags: needinfo?(mdoglio)
Priority: -- → P1
Yeah, our UI code is missing the equivalent of: https://github.com/mozilla/django-browserid/blob/6afc97aecb18343ad1db031c5399a3ae033c5124/django_browserid/static/browserid/api.js#L95-L101 I think we should be using api.js rather than rolling our own, along the lines of: http://django-browserid.readthedocs.org/en/latest/user/customization.html#using-the-javascript-api To use this, we'll need to add ``include('django_browserid.urls')`` to urls.py, per: http://django-browserid.readthedocs.org/en/latest/user/quickstart.html#configuration
Depends on: 1197552
Attached file PR 902
Assignee: nobody → mdoglio
Status: NEW → ASSIGNED
Flags: needinfo?(mdoglio)
Attachment #8651880 - Flags: review?(emorley)
Comment on attachment 8651880 [details] [review] PR 902 Thank you :-)
Attachment #8651880 - Flags: review?(emorley) → review+
Seems to be working fine now on stage post-push. I can login/out using Persona-gmail fine with Nightly and Chrome.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: