Closed Bug 1496449 Opened 4 years ago Closed 4 years ago

Deploy with Heroku: CSRF token missing or incorrect

Categories

(Webtools Graveyard :: Pontoon, defect, P4)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jankoch, Assigned: jotes)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce:

1) Go to https://github.com/mozilla/pontoon
2) click on "Deploy to Heroku"
3) just add the Heroku URL (https://"App-Name".herokuapp.com)
4) wait until it deployed and try to use sign in
5) get a Django Error Message


Actual results:

Forbidden (403)
CSRF verification failed. Request aborted.

Help
Reason given for failure:

    CSRF token missing or incorrect.
    
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.
The view function passes a request to the template's render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.
You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.


Expected results:

Be able to login in Pontoon
Assignee: nobody → m
Thanks for the bug report! I was able to reproduce it by deploying to Heroku via Deploy to Heroku button. I wasn't able to reproduce it locally.

I'm unassigning myself until I can work on this again.
Assignee: m → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P4
Hi Jan,

Can you verify that you are able to deploy Pontoon locally, and this bug is specific to the heroku deployment?
Flags: needinfo?(jankoch)
Locally it works. So it is specific to heroku
Flags: needinfo?(jankoch)
Thank you!

In that case, it seems like its a valid bug, but Matjaz said that he may not have time in the immediate future to tackle the problem. If you're interested in contributing, he may be able to mentor you through the code to work on a patch.

Otherwise, it'll be triaged as P4 for now.
:gandalf :mathjazz :jankoch
I can take this bug and find out what's going on. I have some experience with Heroku :)
(In reply to Jarek Śmiejczak [:jotes] from comment #5)
> :gandalf :mathjazz :jankoch
> I can take this bug and find out what's going on. I have some experience
> with Heroku :)

Thx. 
For me it looks more like a problem with the CSRF Token from Django and how it is implemented.
Jotes: thanks for the offer! It would be great if you could identify the problem and unblock Jan.
Assignee: nobody → poke
So, after some debugging I noticed following errors in heroku log:

```
2018-10-06T21:24:10.523350+00:00 app[web.1]: [ERROR:django.pylibmc] 2018-10-06 21:24:10,522 MemcachedError: error 40 from memcached_get(:1:f23971f8ccb7f755e0dd0c80854d7): (0x562327090440) FAILED TO SEND AUTHENTICATION TO SERVER, no mechanism available,  host: memcached-17056.c85.us-east-1-2.ec2.cloud.redislabs.com:17056 -> libmemcached/sasl.cc:238
2018-10-06T21:24:10.523363+00:00 app[web.1]: Traceback (most recent call last):
2018-10-06T21:24:10.523365+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/django_pylibmc/memcached.py", line 130, in get
2018-10-06T21:24:10.523367+00:00 app[web.1]: return super(PyLibMCCache, self).get(key, default, version)
2018-10-06T21:24:10.523376+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/django/core/cache/backends/memcached.py", line 79, in get
2018-10-06T21:24:10.523379+00:00 app[web.1]: val = self._cache.get(key)
2018-10-06T21:24:10.523383+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/newrelic/api/datastore_trace.py", line 135, in _nr_datastore_trace_wrapper_
2018-10-06T21:24:10.523385+00:00 app[web.1]: return return_value(trace, lambda: wrapped(*args, **kwargs))
2018-10-06T21:24:10.523386+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/newrelic/api/coroutine_trace.py", line 171, in return_value
2018-10-06T21:24:10.523388+00:00 app[web.1]: return fn()
2018-10-06T21:24:10.523390+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/newrelic/api/datastore_trace.py", line 135, in <lambda>
2018-10-06T21:24:10.523391+00:00 app[web.1]: return return_value(trace, lambda: wrapped(*args, **kwargs))
2018-10-06T21:24:10.523393+00:00 app[web.1]: Error: error 40 from memcached_get(:1:f23971f8ccb7f755e0dd0c80854d7): (0x562327090440) FAILED TO SEND AUTHENTICATION TO SERVER, no mechanism available,  host: memcached-17056.c85.us-east-1-2.ec2.cloud.redislabs.com:17056 -> libmemcached/sasl.cc:238
2018-10-06T21:24:10.525362+00:00 app[web.1]: [ERROR:django.pylibmc] 2018-10-06 21:24:10,525 MemcachedError: error 47 from memcached_set: (0x562327090440) SERVER HAS FAILED AND IS DISABLED UNTIL TIMED RETRY,  host: memcached-17056.c85.us-east-1-2.ec2.cloud.redislabs.com:17056 -> libmemcached/connect.cc:720
2018-10-06T21:24:10.525365+00:00 app[web.1]: Traceback (most recent call last):
2018-10-06T21:24:10.525367+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/django_pylibmc/memcached.py", line 140, in set
2018-10-06T21:24:10.525369+00:00 app[web.1]: **COMPRESS_KWARGS)
2018-10-06T21:24:10.525370+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/newrelic/api/datastore_trace.py", line 135, in _nr_datastore_trace_wrapper_
2018-10-06T21:24:10.525372+00:00 app[web.1]: return return_value(trace, lambda: wrapped(*args, **kwargs))
2018-10-06T21:24:10.525374+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/newrelic/api/coroutine_trace.py", line 171, in return_value
2018-10-06T21:24:10.525375+00:00 app[web.1]: return fn()
2018-10-06T21:24:10.525377+00:00 app[web.1]: File "/app/.heroku/python/lib/python2.7/site-packages/newrelic/api/datastore_trace.py", line 135, in <lambda>
2018-10-06T21:24:10.525379+00:00 app[web.1]: return return_value(trace, lambda: wrapped(*args, **kwargs))
2018-10-06T21:24:10.525385+00:00 app[web.1]: ServerDown: error 47 from memcached_set: (0x562327090440) SERVER HAS FAILED AND IS DISABLED UNTIL TIMED RETRY,  host: memcached-17056.c85.us-east-1-2.ec2.cloud.redislabs.com:17056 -> libmemcached/connect.cc:720
2018-10-06T21:24:10.527378+00:00 app[web.1]: [WARNING:django.security.csrf] 2018-10-06 21:24:10,527 Forbidden (CSRF token missing or incorrect.): /a/login/
```
And it looks like this error with authentication to cache is related to the CSRF mismatch. After I did set username and password for a memcache server, I was able to login.

I'll prepare the PR after some sleep :D
:jotes I tested your Fork on heroku and weren't able to login. Also it didn't show any error message, even then DEBUG was set to TRUE.  Were you able to login?
:jankoch
Hey,

Could you provide more details?
When I've tried to deploy new app 10 minutes ago (thanks to Heroku button), everything went smoothly and I'm able to login.

You can see my instance here:
https://finaltesting2.herokuapp.com/

Can you check this link: https://dashboard.heroku.com/new?button-url=https%3A%2F%2Fgithub.com%2Fjotes%2Fpontoon%2F&template=https%3A%2F%2Fgithub.com%2Fjotes%2Fpontoon%2F ?

Also, the default login is: pontoon@example.com, password: supersecretpassword
:jotes

I just toke a look on your Heroku deployment and I receive a 404 on https://finaltesting2.herokuapp.com/teams/ & https://finaltesting2.herokuapp.com/projects.
I was able to reproduce this also on from the Git Repo of Mozilla directly.
(In reply to jankoch from comment #12)
> I just toke a look on your Heroku deployment and I receive a 404 on
> https://finaltesting2.herokuapp.com/teams/ &
> https://finaltesting2.herokuapp.com/projects.
> I was able to reproduce this also on from the Git Repo of Mozilla directly.

That's actually expected - in default install only system projects are setup, which are hidden from Projects and Teams dashboards.
Okay, sorry. Then the Ticket can be closed.
:jotes Thank you
> That's actually expected - in default install only system projects are setup, which are hidden from Projects and Teams dashboards.

Should we open a new ticket then, about improving the experience of deploying your own instance so that things that are not setup are not exposed in the main menu?

Naturally, when I opened your instance, I clicked on `Teams` and `Projects as the first thing because of their placement in the top menu.
Flags: needinfo?(poke)
Flags: needinfo?(m)
Also, the CTA ("Start Localizing Now") is a 404.
Yup, I think we should file a bug to make custom deployments easier. Due to the Mozilla-centric nature of Pontoon, it would be a P4 or P5 bug, though: https://wiki.mozilla.org/L10n:Pontoon#Prioritizing_bugs.

I don't think simply hiding Teams and Project from the menu is the right way to go. Instead, we should show "empty" dashboards with a link to "Set up your first project". Once the first (non-system) project is set up, Teams and Project links will work.

And regarding the broken CTA - this bug should also change the homepage for the custom deployments, at least the Mozilla-specific sections (1 and 2).
Flags: needinfo?(m)
See Also: → 1497572
Commit pushed to master at https://github.com/mozilla/pontoon

https://github.com/mozilla/pontoon/commit/16dec4001d319ab20bd106f840b693ec8e4c92de
Fix bug 1496449: Change the cache backend (#1097)

Replace django-pylibmc with django-bmemcached, which is recommended by
other Heroku users. We also update app.js (used during Deploy with
Heroku button) and docs to use Memcachier add-on instead of Memcached
Cloud.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Flags: needinfo?(poke)
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.