Closed
Bug 880900
Opened 11 years ago
Closed 11 years ago
Add CSRF token support to sso-ux.js
Categories
(Webmaker Graveyard :: Login, defect)
Webmaker Graveyard
Login
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jon, Assigned: mjschranz)
References
Details
(Whiteboard: s=2013w24)
Attachments
(1 file)
From bug 878963, we need to add support for CSRF tokens to sso-ux.js. The way to do this is to look for a <meta name="csrf-token"> element (or some agreed-upon standard <meta> tag). Then when sending an XHR to the local server, Add the X-CSRF-Token header with has the value of the <meta> tag.
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → schranz.m
Assignee | ||
Comment 1•11 years ago
|
||
The major question is, do I need to add the token for all post requests (including the ones being sent to the login server related to users)?
Attachment #760023 -
Flags: review?(jon)
Assignee | ||
Updated•11 years ago
|
Reporter | ||
Comment 2•11 years ago
|
||
Comment on attachment 760023 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/91 r+ with nits noted in the PR. This won't work for creating new users though, since we don't have a CSRF token from the login server to send with that request. I think we need to restructure process so creating new users goes through the local server, not directly to the loginapi. This should work well enough for popcorn, thimble and webmaker.org though!
Attachment #760023 -
Flags: review?(jon) → review+
Assignee | ||
Updated•11 years ago
|
Assignee | ||
Comment 3•11 years ago
|
||
Maybe I'm reading the code wrong but it looks to me like it's doing that already. If you look at the script that's included on pages it's posting to whatever HOSTNAME was set to in the login server ENV. Pretty sure it is not using the loginapi. In any case, yay.
Status: NEW → ASSIGNED
Comment 4•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/login.webmaker.org https://github.com/mozilla/login.webmaker.org/commit/21de6c646933d37d6b04197f8c64b9c52c304220 Fix Bug 880900 - Add CSRF Token support to SSO requests
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in
before you can comment on or make changes to this bug.
Description
•