Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Origin checking failed" not fixable by CSRF_TRUSTED_ORIGINS? #7382

Open
2 tasks done
kelbstf opened this issue Jan 22, 2024 · 6 comments
Open
2 tasks done

"Origin checking failed" not fixable by CSRF_TRUSTED_ORIGINS? #7382

kelbstf opened this issue Jan 22, 2024 · 6 comments
Assignees
@thekavikumar
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@kelbstf
Copy link

kelbstf commented Jan 22, 2024

Actions before raising this issue

  • I searched the existing issues and did not find anything similar.
  • I read/searched the docs

Steps to Reproduce

  1. Install CVAT 2.10.1 docker based, cloned from git, following "Quick installation guide" (https://opencv.github.io/cvat/docs/administration/basics/installation/#quick-installation-guide) minutely
  2. Specify CVAT_HOST to the external IP on the LAN
  3. Log in to application succeeds
  4. Access to admin page and entering user properties succeeds
  5. Submitting via "SAVE" throws
    a) "Forbidden (403) CSRF verification failed. Request aborted. More information is available with DEBUG=True." in UI, and
    b) "DEBG 'uvicorn-1' stderr output: WARNING django.security.csrf: Forbidden (Origin checking failed - https://10.20.0.10 does not match any trusted origins.): /admin/auth/user/add/" in log file

Expected Behavior

  1. Since access to the application and admin interface already succeed and work perfectly fine throughout the entire UI, POST interactions on the /admin page should not make a difference?
  2. If crosssite access is rightfully blocked by django's origin checking, because the accessing IP/FQDN is not yet in the list of "trusted origins", adding it via CSRF_TRUSTED_ORIGINS/SMOKESCREEN_OPTS should be possible and allow POST from /admin?

Possible Solution

According to:
#6516
#6760
#6362
#6760
doccano/doccano#1820

CSRF_TRUSTED_ORIGINS = [ 'https://10.20.0.10' ].
and/or
SMOKESCREEN_OPTS: "trusted_origins=https://10.20.0.10"
Shouldn't setting "CSRF_TRUSTED_ORIGINS" allow to add trusted domains/IPs to the origin checking whitelist?

Context

  1. The application has to run behind a reverse proxy:
    [ 0.0.0.0:8080 => 10.10.0.100:443 (Host)] => 10.20.0.100:443 (LAN)
    The reverse proxy is terminating SSL, using an institutional certificate
  2. I tried to set "CSRF_TRUSTED_ORIGINS" and/or "SMOKESCREEN_OPTS" in docker-compose.yml and/or base.py, in several syntax variants, for just cvat_server and/or cvat_ui and/or globally
    but it looks like this configuration gets never effective?

Environment

CVAT 2.10.1 cloned from Git and implemented exxactly following "Quick installation guide" (https://opencv.github.io/cvat/docs/administration/basics/installation/#quick-installation-guide), except for specifying CHAT_HOST=10.20.0.10.
Unfortunately we need to host the application on our inhouse infrastructure due to inhouse policies.
@kelbstf kelbstf added the bug Something isn't working label Jan 22, 2024
@kelbstf kelbstf changed the title "Origin checking failed" not fixable by CSRF_TRUSTED_ORIGINS "Origin checking failed" not fixable by CSRF_TRUSTED_ORIGINS? Jan 22, 2024
@nmanovic nmanovic added the good first issue Good for newcomers label Mar 5, 2024
@thekavikumar
Copy link
Contributor

@nmanovic can i work on this issue

@jackylamhk
Copy link
Contributor

miroai@1c97a44
Adding the base URL helped me. I ran into this issue trying to run it behind a reverse proxy some time ago, give it a try :)

@Shreyamitti
Copy link

miroai@1c97a44 Adding the base URL helped me. I ran into this issue trying to run it behind a reverse proxy some time ago, give it a try :)

I tried this issue, still I see the error: "CSRF Failed: Origin checking failed - https://my domain url does not match any trusted origins.

@Shreyamitti
Copy link

Error message I see after following all the steps and adding my doamin url in the relevant fields
CSRF Failed: Origin checking failed - https://domainurl does not match any trusted origins.

@Shreyamitti Shreyamitti mentioned this issue Dec 5, 2024
Open
2 tasks
@derifle
Copy link

derifle commented Dec 29, 2024
edited
Loading

Problem with CSRF

Error message I see after following all the steps and adding my doamin url in the relevant fields
Also set ALLOWED_HOSTS: '*'
added even CVAT_HOST: to docker-compose.yml
cvat_server | [2024-12-29 15:41:35,080] WARNING django.security.csrf: Forbidden (Origin checking failed - https://my does not match any trusted origins.): /admin/auth/user/add/
Also have this errors in grafana:

{"basename":"events","action":"create","request":{"url":"/api/events?org=","query_params":{"org":""},"content_type":"application/json","method":"POST","id":"ec14b6b4-3595-4846-8403-13e85755babf"},"message":"rest_framework.exceptions.PermissionDenied: CSRF Failed: Origin checking failed - https://my does not match any trusted origins.","stack":"Traceback (most recent call last):\n  File \"/opt/venv/lib/python3.10/site-packages/rest_framework/views.py\", line 497, in dispatch\n    self.initial(request, *args, **kwargs)\n  File \"/opt/venv/lib/python3.10/site-packages/rest_framework/views.py\", line 414, in initial\n    self.perform_authentication(request)\n  File \"/opt/venv/lib/python3.10/site-packages/rest_framework/views.py\", line 324, in perform_authentication\n    request.user\n  File \"/opt/venv/lib/python3.10/site-packages/rest_framework/request.py\", line 231, in user\n    self._authenticate()\n  File \"/opt/venv/lib/python3.10/site-packages/rest_framework/request.py\", line 384, in _authenticate\n    user_auth_tuple = authenticator.authenticate(self)\n  File \"/opt/venv/lib/python3.10/site-packages/rest_framework/authentication.py\", line 130, in authenticate\n    self.enforce_csrf(request)\n  File \"/opt/venv/lib/python3.10/site-packages/rest_framework/authentication.py\", line 148, in enforce_csrf\n    raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)\nrest_framework.exceptions.PermissionDenied: CSRF Failed: Origin checking failed - https://my does not match any trusted origins.\n","status_code":403}

Solution

Fixed with mounting to container production.py to /home/django/cvat/setting/production.py with

CSRF_TRUSTED_ORIGINS = [
    'https://my',
]

or in docker-compose.yml for cvat_server:

  volumes:
      - <path>/production.py:/home/django/cvat/settings/production.py

@kevle1
Copy link

kevle1 commented Jan 2, 2025

This was pretty frustrating, same issue was raised here #6321 and had an attached PR which was closed

I followed this workaround: #6322 (comment) as overriding production.py caused some issues for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thekavikumar thekavikumar

Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@kevle1 @nmanovic @thekavikumar @kelbstf @jackylamhk @Shreyamitti @derifle