Include reason in JSON response on CSRF failure

[sbesson]

If a POST/PUT/DELETE request is rejected by CsrfViewMiddleware, the current body of the HTTP response unconditionally suggests the rejection is due to an invalid CSRF token. However there are other reasons that might cause the rejection of the request such as a missing or malformed Referer header when connecting to HTTPS - see https://docs.djangoproject.com/en/4.2/ref/csrf/ for more details.

One way to test these condition is to do a simple connection test using the JSON API e.g. in Python using https://github.com/ome/openmicroscopy/blob/develop/examples/Training/python/Json_Api/Login.py and test various failures conditions including

• missing X-CSRFToken in the header
• invalid value for the X-CSRFToken in the header
• missing Referer in the header (note OMERO.web must be deployed on HTTPS)
• malformed Referer value in the header (note OMERO.web must be deployed on HTTPS)

Without this change the error should be identical in all situation making it quite hard to troubleshoot the issue without having access to the OMERO.web logs where the underlying caused is logged at WARN level.

{'message': "CSRF Error. You need to include valid CSRF tokens for any POST, PUT, PATCH or DELETE operations. You have to include CSRF token in the POST data or add the token to the HTTP header. "}

With this change, the response message should include the failure reason:

{'message': 'CSRF Failed: Referer checking failed - no Referer. '}

[knabar]

Agree that this is a big improvement for debugging failures. Should the error message now be reduced to just "CSRF Error: {reason}", since the extra information currently given about including the token and where it needs to be included might not be the cause of the error? Or only include it if reason is blank (if that can even happen)?

[sbesson]

Thanks @knabar, I should add here that ome/openmicroscopy#6419 expands the scope of the CSRF integration tests to cover several of these conditions (missing cookie, missing token, invalid/incorrect token) and check the error message.

On the content of the error message, I tried to limit the changes to the message in case someone is depending on its content but I agree it can still be misleading. An option would also be to review and link to the content of https://omero.readthedocs.io/en/stable/developers/Web/CSRF.html.

[will-moore]

Testing as suggested using merge-ci server from home, I always see:

Traceback (most recent call last):
  File "/Users/wmoore/Desktop/OMERO/openmicroscopy/examples/Training/python/Json_Api/Login.py", line 78, in <module>
    assert r.status_code == 200

At https://github.com/ome/openmicroscopy/blob/1ae1bfa5b831dc0225df48dbef7871cc6ab044f6/examples/Training/python/Json_Api/Login.py#L71

printing the login_rsp JSON I get

{'message': 'POST only with username, password, server and csrftoken'}

This is the same whether I include the token in the header or not. I can't manage to successfully login in any case.

I'll try setting up local server...

[will-moore]

Testing locally (without https)...

Without any CRSF token...

login_rsp {'message': 'CSRF Error. CSRF token missing. You need to include valid CSRF tokens for any POST, PUT, PATCH or DELETE operations. You have to include CSRF token in the POST data or add the token to the HTTP header.'}

With token + "foo"` or other invalid token

login_rsp {'message': "CSRF Error. CSRF token from the 'X-Csrftoken' HTTP header has incorrect length. You need to include valid CSRF tokens for any POST, PUT, PATCH or DELETE operations. You have to include CSRF token in the POST data or add the token to the HTTP header."}

With an old invalid token

login_rsp {'message': "CSRF Error. CSRF token from the 'X-Csrftoken' HTTP header incorrect. You need to include valid CSRF tokens for any POST, PUT, PATCH or DELETE operations. You have to include CSRF token in the POST data or add the token to the HTTP header."}

Missing Referer caused no issues (using http). Login success!

[sbesson]

Re #608 (comment), I was able to reproduce the issue while poiting to the OME CI Web deployment. Looking at the actually status code, it is not 403 but 405 i.e. Method Not Allowed. I suspect this is related to the deployment configuration with a NGINX proxy which might downgrade the POST requests to GET

[will-moore]

Tested again with last commit. Eg. {'message': 'CSRF Failed: CSRF token from POST has incorrect length.'} looks good.

[kkoz]

Tested with HTTPS. Used a valid sessionid and the /webclient/saveImgRDef endpoint.
Without Referer

{
    "message": "CSRF Failed: Referer checking failed - no Referer."
}

Without X-CSRFToken:

{
    "message": "CSRF Failed: CSRF token missing."
}

With X-CSRFToken but without csrftoken cookie:

{
    "message": "CSRF Failed: CSRF cookie not set."
}

With X-CSRFToken set to invalid value:

{
    "message": "CSRF Failed: CSRF token from the 'X-Csrftoken' HTTP header has incorrect length."
}

With X-CSRFToken correct but csrftoken cookie invalid value:

{
    "message": "CSRF Failed: CSRF cookie has incorrect length."
}

With X-CSRFToken and csrftoken correct but not matching:

{
    "message": "CSRF Failed: CSRF token from the 'X-Csrftoken' HTTP header incorrect."
}

With matching X-CSRFToken header and csrftoken cookie:
true