Comments (9)
Thanks a lot for figuring out my understanding gap about the "Aditional Cookie part" for causing the problem for so long. I am very sorry for wasting your time. I think the issue can be closed.
from playframework.
The CSRFFilter is enabled automatically in Play, you do not need to enable it with play.filters.enabled += "play.filters.csrf.CSRFFilter"
, please remove that. See https://www.playframework.com/documentation/3.0.x/Filters#Default-Filters
How do yo call your /post
route? From a twirl view? With curl? You need to send generate a csrf token or cookie somehow before and send that to this route so Play knows about it.
from playframework.
I updated the issue.
- Without
play.filters.enabled += "play.filters.csrf.CSRFFilter"
is also not generated. That is why I added that in application.conf. - I used postman for calling the "/post". In the previous versions of play I did not encounter such thing. Basically, that would cause an authentication issue in the past version due to not sending the csrf token with the header from postman, but in this case, I did not send a csrf token with the header, and no authentication complaint was raised. That means CSRFFilter is not checked by the filter returning 200 status.
from playframework.
The main issue is crsf token is not checked by the application. I updated the issue.
from playframework.
Can you please provide me the exact curl command you run, including the -v
verbose flag? Thanks!
from playframework.
And you say in Play 2.8 it behaved differently?
from playframework.
curl -X POST -H "Content-Type: application/json" -d '{"name": "John Doe", "age": 30, "city": "New York"}' http://127.0.0.1:9000/post -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 127.0.0.1:9000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
> POST /post HTTP/1.1
> Host: 127.0.0.1:9000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 51
>
* upload completely sent off: 51 out of 51 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Permitted-Cross-Domain-Policies: master-only
< Date: Mon, 13 Nov 2023 08:26:24 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 4
<
* Connection #0 to host 127.0.0.1 left intact
from playframework.
And you say in Play 2.8 it behaved differently?
yes, that would return a 401 (If I am not wrong). It was mandatory to attach the valid non-expired csrf token with the header in name "Csrf-Token"
from playframework.
I am pretty sure everything is ok. Please read the docs:
Play will require a CSRF check when all of the following are true:
- The request method is not
GET
,HEAD
orOPTIONS
.- The request has one or more
Cookie
orAuthorization
headers.- The CORS filter is not configured to trust the request’s origin.
Your curl command does not have a cookie nor a Authorization
header.
When I
- add
--cookie "USER_TOKEN=Yes"
to your curl command or - add a header
-H "Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"
then I get a 403 Forbidden
response. Also the Play app now logs:
2023-11-13 12:35:25 WARN play.filters.CSRF [CSRF] Check failed because no token found in headers for /post
I also tested with Play 2.8.21 and it has the exact same behaviour. If no cookie and no Authorization
header gets send then it reponds with 200 OK.
I also checked
git difftool 2.8.21..2.9.0 web/play-filters-helpers/src/main/scala/play/filters/csrf/
git difftool 2.8.21..2.9.0 web/play-filters-helpers/src/main/java/play/filters/csrf/
and there are no relevant changes that would change the behaviour.
I am pretty sure everything is ok.
from playframework.
Related Issues (20)
- `playUpdateSecret` should not blindly write in first line HOT 3
- `DependencyInjectedRoutingDslTest` and other tests are failed by `LoggerContext` HOT 1
- akka migration/changes documentation HOT 9
- Set `shouldRunSequentially` to `false` by default or just remove `runSynchronized`
- Set up dependabot to update GitHub actions HOT 1
- POST request fails with java.lang.IllegalStateException: Sink.asPublisher(fanout = false) only supports one subscriber HOT 2
- Play 2.9.0 and JDK 17.0.9 com.typesafe.sslconfig.ssl.FakeKeyStore cannot access class sun.security HOT 2
- [Feature] Add option to disable Javascript routers HOT 10
- Evolutions generated in wrong place in `PlayService` project HOT 6
- InjectedController trait not working with scala 3 HOT 9
- The link for guiding user to source in document is broken HOT 2
- COPY button in document code section would move along with the scroll bar HOT 3
- The link for Zenexity has been broken in Play Philosophy page HOT 1
- sbt-heroku plugin no longer maintained HOT 3
- `TestServer.isRunning` throws an exception when the server is not running. HOT 3
- Loss `Result` attributes by any modification HOT 4
- Requests with Large POST Body Immediately Goes into Delay Cancellation Right After the Server Received the Request HOT 6
- Caffeine cache API has inconsistent behavior with differing types and between sync/async HOT 1
- play hangs on console interacton when using jblas library HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from playframework.