704370 - Logging in to apps-preview-dev fails with a 403

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Public Pages, defect, P1)

Description

[krupa raj[:krupa]]

steps to reproduce:
1. Load https://apps-preview-dev.allizom.org/en-US/firefox/users/login
expected behavior:
2. Log in using a new account

actual behavior:
Log in fails with a 403

headers: [16:59:28.413] POST https://apps-preview-dev.allizom.org/en-US/firefox/users/browserid-login [HTTP/1.1 403 FORBIDDEN 1905ms]

Comment 1

[krupa raj[:krupa]]

This is happening with existing accounts too.

Comment 2

[Gregory Koberger (:gkoberger)]

This one's on me. My bad. Fix is on its way.

Comment 3

[Gregory Koberger (:gkoberger)]

The problem involves anonymous csrfs. I fixed it temporarily by allowing csrf_exempt, and tomorrow I'm going to try to get something working involving AJAX. I hate making something so vital (login) rely on something so complicated (numerous ajax calls), but I think it's the best way.

Comment 4

[Gregory Koberger (:gkoberger)]

Yvan, do we need CSRF tokens for the page we post to (via AJAX) after the user goes through the BrowserID steps?

https://github.com/mozilla/zamboni/blob/master/apps/users/views.py#L312

After a user logs in to BrowserID, they get a token that we POST to the page in question, which logs them into BrowserID. We pass the "assert" token from BrowserID, which is validated/verified. Not having to use a CSRF token means we can easily include a login link on every page without having to generate a CSRF token each page view (which would be a bit expensive, especially at our scale).

Comment 5

[Gregory Koberger (:gkoberger)]

The initial answer is "no need for CSRF", so until that changes I'm going to close this. Thanks Yvan!

Comment 6

[krupa raj[:krupa]]

this is fixed now.