Stirling-PDF icon indicating copy to clipboard operation
Stirling-PDF copied to clipboard
Published 2 weeks ago verified publisher icon Stirling-Tools

[Bug]: API request a CSRF cookie, even when CSFR is disabled

Open janwippr opened this issue 1 year ago • 2 comments

Installation Method

Docker

The Problem

Forbidden (403) CSRF verification failed. Request aborted. docker config:

tested with powershell, $apiUrl = "http://192.168.178.100:8000/api/v1/convert/img/pdf" $formData = @{ "fileInput" = Get-Item -Path $sourceFilePath "fitOption" = "fillPage" "colorType" = "color" "autoRotate" = "false" } $headers = @{ "X-API-Key" = $xapikey } $response = Invoke-RestMethod -Uri $apiUrl -Method Post -Form $formData -Headers $headers -OutFile $outputPdfPath

when i use docker config:
      - SECURITY_ENABLELOGIN=false

i get the pdf

Version of Stirling-PDF

0.34.0

Last Working Version of Stirling-PDF

No response

Page Where the Problem Occurred

No response

Docker Configuration

- DOCKER_ENABLE_SECURITY=true
      - INSTALL_BOOK_AND_ADVANCED_HTML_OPS=false
      - LANGS=de_DE
      - SECURITY_ENABLELOGIN=true
      - SECURITY_CSRFDISABLED=true

Relevant Log Output

No response

Additional Information

No response

Browsers Affected

No response

No Duplicate of the Issue

  • [X] I have verified that there are no existing issues raised related to my problem.

janwippr avatar Nov 26 '24 13:11 janwippr

Hey @janwippr! I'm here to help you with any bugs, questions, or contributions. Let's tackle this together while we wait for a human maintainer.

When SECURITY_CSRFDISABLED is set to true, CSRF protection should be disabled in Stirling-PDF. However, if you're still encountering a CSRF verification error, it might be due to a configuration issue or a bug in the application.

Here are a few things you can check or try:

  1. Configuration Verification: Double-check your Docker configuration to ensure that SECURITY_CSRFDISABLED=true is correctly set and applied. Sometimes, environment variables might not be picked up correctly if there are syntax errors or if the configuration is not properly loaded.

  2. Application Restart: Ensure that the application is restarted after making changes to the Docker configuration. This ensures that all environment variables are reloaded.

  3. Logs: Check the application logs for any errors or warnings that might indicate why CSRF protection is still being enforced.

  4. Version Check: Make sure you are using the correct version of Stirling-PDF and that there are no known issues with CSRF handling in that version. According to the information available, there are no documented issues regarding CSRF handling in version 0.34.0, but this might not be exhaustive.

  5. Alternative Configuration: As a temporary workaround, you mentioned that setting SECURITY_ENABLELOGIN=false allows the request to succeed. This might indicate an interaction between login requirements and CSRF settings that needs further investigation.

If the issue persists, it might be worth investigating further in the codebase or reaching out to the development team for a deeper dive into the problem.

To continue talking to Dosu, mention @dosu.

dosubot[bot] avatar Nov 26 '24 13:11 dosubot[bot]

docker images removed -> and pulled again, log says csrfDisabled=true but it does not work

2024-11-26 16:03:55,099 INFO s.s.S.SPdfApplication [main] Starting SPdfApplication v0.34.0 using Java 21.0.5 with PID 9 (/app.jar started by stirlingpdfuser in /) 2024-11-26 16:03:55,105 INFO s.s.S.SPdfApplication [main] The following 1 profile is active: "default" 2024-11-26 16:04:00,433 INFO s.s.S.SPdfApplication [main] Running configs ApplicationProperties(legal=ApplicationProperties.Legal(termsAndConditions=https://www.stirlingpdf.com/terms-and-conditions, privacyPolicy=https://www.stirlingpdf.com/privacy-policy, accessibilityStatement=, cookiePolicy=, impressum=), security=ApplicationProperties.Security(enableLogin=false, csrfDisabled=true, initialLogin=ApplicationProperties.Security.InitialLogin(username=), oauth2=ApplicationProperties.Security.OAUTH2(enabled=false, issuer=, clientId=, autoCreateUser=false, blockRegistration=false, useAsUsername=email, scopes=[openid, profile, email], provider=google, client=ApplicationProperties.Security.OAUTH2.Client(google=Google [clientId=, clientSecret=NULL, scopes=[https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile], useAsUsername=email], github=GitHub [clientId=, clientSecret=NULL, scopes=[read:user], useAsUsername=login], keycloak=Keycloak [issuer=, clientId=, clientSecret=NULL, scopes=[openid, profile, email], useAsUsername=preferred_username])), saml2=stirling.software.SPDF.model.ApplicationProperties$Security$SAML2@4403bff8, loginAttemptCount=5, loginResetTimeMinutes=120, loginMethod=all), system=ApplicationProperties.System(defaultLocale=en-US, googlevisibility=false, showUpdate=false, showUpdateOnlyAdmin=false, customHTMLFiles=false, tessdataDir=/usr/share/tessdata, enableAlphaFunctionality=false, enableAnalytics=undefined), ui=ApplicationProperties.Ui(appName=null, homeDescription=null, appNameNavbar=null), endpoints=ApplicationProperties.Endpoints(toRemove=[], groupsToRemove=[]), metrics=ApplicationProperties.Metrics(enabled=true), automaticallyGenerated=ApplicationProperties.AutomaticallyGenerated(UUID=5f365070-8548-4723-b168-436ec971a562), enterpriseEdition=ApplicationProperties.EnterpriseEdition(enabled=false, maxUsers=0, customMetadata=ApplicationProperties.EnterpriseEdition.CustomMetadata(autoUpdateMetadata=false, author=username, creator=Stirling-PDF, producer=Stirling-PDF)), autoPipeline=ApplicationProperties.AutoPipeline(outputFolder=null), processExecutor=ApplicationProperties.ProcessExecutor(sessionLimit=ApplicationProperties.ProcessExecutor.SessionLimit(libreOfficeSessionLimit=1, pdfToHtmlSessionLimit=1, ocrMyPdfSessionLimit=2, pythonOpenCvSessionLimit=8, ghostScriptSessionLimit=16, weasyPrintSessionLimit=16, installAppSessionLimit=1, calibreSessionLimit=1), timeoutMinutes=ApplicationProperties.ProcessExecutor.TimeoutMinutes(libreOfficeTimeoutMinutes=30, pdfToHtmlTimeoutMinutes=20, ocrMyPdfTimeoutMinutes=30, pythonOpenCvTimeoutMinutes=30, ghostScriptTimeoutMinutes=30, weasyPrintTimeoutMinutes=30, installAppTimeoutMinutes=60, calibreTimeoutMinutes=30))) 2024-11-26 16:04:01,526 INFO s.s.S.c.EndpointConfiguration [main] Total disabled endpoints: 2. Disabled endpoints: book-to-pdf, pdf-to-book 2024-11-26 16:04:05,102 INFO s.s.S.SPdfApplication [main] Started SPdfApplication in 11.737 seconds (process running for 14.014) 2024-11-26 16:04:05,122 WARN s.s.S.u.FileMonitor [scheduling-1] not monitoring any directory, even the root directory itself: ./pipeline/watchedFolders 2024-11-26 16:04:05,125 INFO s.s.S.u.FileMonitor [scheduling-1] Registered directory: ./pipeline/watchedFolders 2024-11-26 16:04:05,128 INFO s.s.S.SPdfApplication [main] Stirling-PDF Started. 2024-11-26 16:04:05,129 INFO s.s.S.SPdfApplication [main] Navigate to http://localhost:8080`

janwippr avatar Nov 26 '24 16:11 janwippr

Is this still happening in latest version?

Frooodle avatar Jan 08 '25 14:01 Frooodle

Closing as no response

Frooodle avatar Feb 06 '25 16:02 Frooodle