Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 status code for failed CSRF check (teamcity 2020.2) #37

Open
vong0 opened this issue Jul 2, 2021 · 2 comments
Open

403 status code for failed CSRF check (teamcity 2020.2) #37

vong0 opened this issue Jul 2, 2021 · 2 comments

Comments

@vong0
Copy link

vong0 commented Jul 2, 2021
edited
Loading

on teamcity 2021.2 when i try use on of the functions for a post request i get the following CSRF errors:

dohq_teamcity.rest.ApiException: (403)
Reason: 
HTTP response headers: HTTPHeaderDict({'TeamCity-Node-Id': 'MAIN_SERVER', 'X-Content-Type-Options': 'nosniff', 'Content-Type': 'text/plain;charset=UTF-8', 'Content-Length': '347', 'Date': 'Fri, 02 Jul 2021 18:53:05 GMT'})
HTTP response body: 403 Forbidden: Responding with 403 status code due to failed CSRF check: authenticated POST request is made, but neither tc-csrf-token parameter nor X-TC-CSRF-Token header are provided.. For a temporary workaround, you can set internal property teamcity.csrf.paranoid=false  and provide valid Origin=http://localhost:8111 header with your request

the solution to this is apparently here: https://www.jetbrains.com/help/teamcity/csrf-protection.html#Implications+for+CORS+clients

should the library be updated to take this into account as well?

==========================
the website says to:

  • token: recommend using token-based authentication and disabling cookie support (if you dont want to use use CSRF token)
  • http authentication: apply for CSRF token otherwise

currently the method: rest.py::RESTClientObject::request(...) function always sets cookies if they are received.

        if not 200 <= r.status <= 299:
            raise ApiException(http_resp=r)

        if self.cookie is None:
            self.cookie = r.getheader('Set-Cookie')
            # pass
        print("\n=============out cookie:", r.getheader('Set-Cookie'), "=============\n")
        return r

i think you should add an option to not store cookies (and do the 2 methods they suggested above)?
@DenKoren
Copy link
Contributor

DenKoren commented Sep 7, 2021
edited
Loading

You can fix this with proper TC client configuration after init:

tc = TeamCity(
    url="https://teamcity.example.service",
    configuration=cfg,
    ...
)
tc.default_headers["Origin"] = "https://teamcity.example.service"

<do your stuff here>

The 'Origin' header provided in requests will calm down CSRF protection of TeamCity service it it equals the main service domain or matches one of allowed domains listed in TC server configuration.

@istvans
Copy link

istvans commented Jan 19, 2024
edited
Loading

I think the underlying cause of this issue is the same as #24 i.e. this library does not handle CSRF properly.

I had the same problem with TC 2022.04.

The suggestion here with the "Origin" header did not work for me, but the suggestion on the other issue did.

@istvans istvans mentioned this issue Jan 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@istvans @DenKoren @vong0