Closed
Bug 704370
Opened 13 years ago
Closed 13 years ago
Logging in to apps-preview-dev fails with a 403
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect, P1)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
VERIFIED
FIXED
6.3.3
People
(Reporter: krupa.mozbugs, Assigned: gkoberger)
References
()
Details
steps to reproduce: 1. Load https://apps-preview-dev.allizom.org/en-US/firefox/users/login expected behavior: 2. Log in using a new account actual behavior: Log in fails with a 403 headers: [16:59:28.413] POST https://apps-preview-dev.allizom.org/en-US/firefox/users/browserid-login [HTTP/1.1 403 FORBIDDEN 1905ms]
Reporter | ||
Comment 1•13 years ago
|
||
This is happening with existing accounts too.
Summary: Logging in to apps-preview-dev fails with a 403 for new accounts → Logging in to apps-preview-dev fails with a 403
Reporter | ||
Updated•13 years ago
|
Severity: normal → critical
Assignee | ||
Comment 2•13 years ago
|
||
This one's on me. My bad. Fix is on its way.
Assignee | ||
Comment 3•13 years ago
|
||
The problem involves anonymous csrfs. I fixed it temporarily by allowing csrf_exempt, and tomorrow I'm going to try to get something working involving AJAX. I hate making something so vital (login) rely on something so complicated (numerous ajax calls), but I think it's the best way.
Assignee | ||
Updated•13 years ago
|
Assignee: nobody → gkoberger
Assignee | ||
Updated•13 years ago
|
Priority: -- → P1
Target Milestone: --- → 6.3.3
Assignee | ||
Comment 4•13 years ago
|
||
Yvan, do we need CSRF tokens for the page we post to (via AJAX) after the user goes through the BrowserID steps? https://github.com/mozilla/zamboni/blob/master/apps/users/views.py#L312 After a user logs in to BrowserID, they get a token that we POST to the page in question, which logs them into BrowserID. We pass the "assert" token from BrowserID, which is validated/verified. Not having to use a CSRF token means we can easily include a login link on every page without having to generate a CSRF token each page view (which would be a bit expensive, especially at our scale).
Assignee | ||
Comment 5•13 years ago
|
||
The initial answer is "no need for CSRF", so until that changes I'm going to close this. Thanks Yvan!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•