Defect #10780

Logout by using POST REST API

Added by Vincent Schänzer about 8 years ago. Updated over 5 years ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution: Affected version:1.4.1

Description

I'm currently login in REDMINE, but after making a POST over the REST API, I'm no longer login to REDMINE.

About your application's environment
Ruby version 1.8.7 (x86_64-linux)
RubyGems version 1.3.7
Rack version 1.1.3
Rails version 2.3.14
Active Record version 2.3.14
Active Resource version 2.3.14
Action Mailer version 2.3.14
Active Support version 2.3.14
Database adapter sqlite3

Javascript:

RedmineUrl = 'https://projects.modell-aachen.de'
AuthToken = '9611ec7f30316e04967a0aef4ed34e44719405b7'

$.ajax({
    type: 'POST',
    url: RedmineUrl+'/issues.json',
    username: AuthToken,
    dataType: 'json',
    data: {"issue": {"project_id": "test","subject": "Test issue",}},
    async: true,
    success: function(data){console.dir(data)}
})

Related issues

Related to Redmine - Defect #15424: Filter chain halted as :verify_authenticity_token rendere... Closed

History

#1 Updated by Etienne Massip about 8 years ago

What's in your production.log?

#2 Updated by Vincent Schänzer about 8 years ago

Processing AccountController#login (for 77.11.63.231 at 2012-04-26 15:15:40) [POST]
  Parameters: {"password"=>"[FILTERED]", "authenticity_token"=>"zoLBWotuKKmwlcfb1w9Bfo7guuq1nZEN3FeOBBcXwHw=", "action"=>"login", "login"=>"Anmelden \302\273", "controller"=>"account", "back_url"=>"https%3A%2F%2Fprojects.modell-aachen.de%2F", "username"=>"schaenzer"}
Redirected to https://projects.modell-aachen.de/
Completed in 195ms (DB: 3) | 302 Found [https://projects.modell-aachen.de/login]

Processing WelcomeController#index (for 77.11.63.231 at 2012-04-26 15:15:41) [GET]
  Parameters: {"action"=>"index", "controller"=>"welcome"}
Rendering template within layouts/base
Rendering welcome/index
Completed in 188ms (View: 167, DB: 5) | 200 OK [https://projects.modell-aachen.de/]

Processing IssuesController#create to json (for 77.11.63.231 at 2012-04-26 15:15:49) [POST]
  Parameters: {"format"=>"json", "action"=>"create", "issue"=>{"subject"=>"Test issue", "project_id"=>"test"}, "controller"=>"issues"}
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 12ms (View: 0, DB: 2) | 401 Unauthorized [https://projects.modell-aachen.de/issues.json]

Processing IssuesController#create to json (for 77.11.63.231 at 2012-04-26 15:15:49) [POST]
  Parameters: {"format"=>"json", "action"=>"create", "issue"=>{"subject"=>"Test issue", "project_id"=>"test"}, "controller"=>"issues"}
Sending email notification to: 
Rendering issues/show (created)
Completed in 920ms (View: 48, DB: 29) | 201 Created [https://projects.modell-aachen.de/issues.json]

Processing WelcomeController#index (for 77.11.63.231 at 2012-04-26 15:15:58) [GET]
  Parameters: {"action"=>"index", "controller"=>"welcome"}
Redirected to https://projects.modell-aachen.de/login?back_url=https%3A%2F%2Fprojects.modell-aachen.de%2F
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 11ms (DB: 2) | 302 Found [https://projects.modell-aachen.de/]

Processing AccountController#login (for 77.11.63.231 at 2012-04-26 15:15:58) [GET]
  Parameters: {"action"=>"login", "controller"=>"account", "back_url"=>"https://projects.modell-aachen.de/"}
Rendering template within layouts/base
Rendering account/login
Completed in 20ms (View: 10, DB: 2) | 200 OK [https://projects.modell-aachen.de/login?back_url=https%3A%2F%2Fprojects.modell-aachen.de%2F]

#3 Updated by Patrick Atamaniuk about 8 years ago

Affects me, too.

Redmine version: tag 1.4.1
Ruby version 1.8.7 (x86_64-linux)
RubyGems version 1.6.2
Rack version 1.1.3
Rails version 2.3.14
Active Record version 2.3.14
Active Resource version 2.3.14
Action Mailer version 2.3.14
Active Support version 2.3.14
Database adapter postgresql 9.1.3-2
Database schema version 20120301153455

I am logged in: get the welcomepage on the first browsertab.

Processing WelcomeController#index (for 192.168.57.1 at 2012-05-20 10:29:28) [GET]
  Parameters: {"action"=>"index", "controller"=>"welcome"}
Rendering template within layouts/base
Rendering welcome/index
Completed in 1886ms (View: 1190, DB: 531) | 200 OK [http://192.168.57.11/redmine/]

using api in another browser tab from a plugin

Processing XblMasterBacklogController#productbacklog to json (for 192.168.57.1 at 2012-05-20 10:29:45) [POST]
  Parameters: {"project_id"=>"fooproject", "action"=>"update", "subject"=>"asd2", "issue_id"=>"7527", "format"=>"json", "controller"=>"xbl_master_backlog"}
Completed in 406ms (View: 45, DB: 315) | 200 OK [http://192.168.57.11/redmine/xbl_master_backlog/project/fooproject/productbacklog.json/7527?_dc=1337502585894]

Request completes successfully. (routes are ok, permissions ok, accept_api_auth ok etc.)

After that on the first tab i am logged out. Trying to get my page:

Processing MyController#account (for 192.168.57.1 at 2012-05-20 10:30:07) [GET]
  Parameters: {"action"=>"account", "controller"=>"my"}
Redirected to http://192.168.57.11/redmine/login?back_url=http%3A%2F%2F192.168.57.11%2Fredmine%2Fmy%2Faccount
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 165ms (DB: 147) | 302 Found [http://192.168.57.11/redmine/my/account]

Processing AccountController#login (for 192.168.57.1 at 2012-05-20 10:30:08) [GET]
  Parameters: {"action"=>"login", "back_url"=>"http://192.168.57.11/redmine/my/account", "controller"=>"account"}
Rendering template within layouts/base
Rendering account/login
Completed in 376ms (View: 103, DB: 248) | 200 OK [http://192.168.57.11/redmine/login?back_url=http%3A%2F%2F192.168.57.11%2Fredmine%2Fmy%2Faccount]

#4 Updated by Patrick Atamaniuk about 8 years ago

Although the request has a valid session cookie, it looks like the response header of the request sets the _redmine_session new.
This fixes it for me: https://gist.github.com/2758024
It also probably will kill my cat...

Edit: this could introduce csrf issues. This is no valid workaround.

#5 Updated by Etienne Massip about 8 years ago

  • Description updated (diff)

#6 Updated by Etienne Massip about 8 years ago

Can't reproduce; from what you say you're calling the API from a new tab in the browser so the already authenticated user session will be used instead of the specified API user, won't it??

#7 Updated by Patrick Atamaniuk about 8 years ago

So i would have expected, too. But it seems that the authenticated session is not used.
The XmlHttpRequest post header does indeed contain the session cookie, but (1.4.2) app/controllers/application_controller.rb find_current_user falls into the

elsif Setting.rest_api_enabled? && accept_api_auth?

branch. session[:user_id] seems not to be set at this point.

Redmine then successfully uses the api key, but returns a new session cookie with no user_id, thus logging out the other tab.
I'd construct a minimal test plugin for your convenience. I would need some days to prepare that.

#8 Updated by Patrick Atamaniuk about 8 years ago

I have put together a testcase which you can use to reproduce the effect:
https://patrickatamaniuk@github.com/patrickatamaniuk/redmine_REST_test.git

I hope it proves useful.

#9 Updated by Patrick Atamaniuk about 8 years ago

Provide a valid X-CSRF-Token in the POST request headers solves the issue.

See redmine public/javascripts/application.js how to do this.

#10 Updated by Etienne Massip about 8 years ago

That's related to the use of the new tab in the same browser, this is not a regular use of the Rest API.

#11 Updated by Terence Mill about 8 years ago

I think the stufftodo plugin utilizes this the same way, whats why we get logged ou or not logged ou correctly if using two tabs in same browser

https://github.com/GOYELLO/goyello_stuff_to_do/issues/15

I vote to fix that behaviour and allow such usage for future.

#12 Updated by Adam Chasen over 7 years ago

This appears to affect several different uses of the REST API including applications such as RedminePro. I am using the latest version of Redmine (2.0.4)

I receive the following in my production log whenever running a POST:

Started POST "/projects/8/issues.json" for 127.0.0.1 at Mon Sep 24 22:27:22 +0000 2012
Processing by IssuesController#create as JSON
  Parameters: {"project_id"=>"8", "issue"=>{"custom_field_values"=>{}, "project_id"=>8, "done_ratio"=>"0", "subject"=>"Trench", "tracker_id"=>2, "description"=>"Dig trench for foundation"}}
WARNING: Can't verify CSRF token authenticity
Filter chain halted as :authorize rendered or redirected
Completed 401 Unauthorized in 195ms (ActiveRecord: 1.8ms)

Should RedminePro be adding the CSRF header? It seems like that would break a simple REST implementation especially considering that the API key for REST use appears to be there explicitly to avoid this mess.

#13 Updated by Terence Mill over 7 years ago

I'm using redmine 2.1.4

The same problem occours for Fat Client Redmine Client from Mana-Sys. But only on write (Post) operation not or read access.

WARNING: Can't verify CSRF token authenticity

#14 Updated by @ go2null over 5 years ago

related to Defect #15424

#15 Updated by Mischa The Evil over 5 years ago

  • Status changed from New to Needs feedback

@ go2null wrote:

related to Defect #15424

That would also mean that the issues reported in this issue were fixed starting from Redmine 2.4.0.
Can anybody acknowledge this?

#16 Updated by Mischa The Evil over 5 years ago

  • Related to Defect #15424: Filter chain halted as :verify_authenticity_token rendered or redirected added

Also available in: Atom PDF