nilsteampassnet
403 Access Forbidden by CSRFProtector
Teampass version: 3.1.2.29 PHP version: 8.2.7
I'm encountering a "403 Access Forbidden by CSRFProtector!" error while attempting to authorize the API. Below is the content of my csrfp.config.php file.
`<?php /**
- Configuration file for CSRF Protector */
return array( "CSRFP_TOKEN" => "7e637*********ed10876f3", "logDirectory" => "../log", "failedAuthAction" => array( "GET" => 0, "POST" => 0), "errorRedirectionPage" => "", "customErrorMessage" => "", "jsPath" => "../js/csrfprotector.js", "jsUrl" => "http://teampass.domain.local/includes/libraries/csrfp/js/csrfprotector.js", "tokenLength" => 50, "cookieConfig" => array( "expire" => '', "path" => '', "domain" => '', "secure" => true, "httponly" => true, "samesite" => "Lax", // None || Lax || Strict ), "disabledJavascriptMessage" => "This site attempts to protect users against <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29"> Cross-Site Request Forgeries attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you. See details of your web browser for how to enable JavaScript.", "verifyGetFor" => array("type=duo_check", "upload.attachments.php", "upload.files.php", "type=ga_generate_qr") );`
I'm using the following command to authorize the API:
`curl -L -X POST \
http://teampass.domain.local/api/index.php/authorize
-H 'Content-Type: application/json'
-d '{ "apikey": "Kx", "login": "test", "password": "8zY***" }'
docker-compose.yaml
`version: "3" services: nginx: image: jwilder/nginx-proxy:alpine container_name: tp_nginx restart: unless-stopped networks: - frontend - backend ports: - "80:80" volumes: - /var/run/docker.sock:/tmp/docker.sock:ro
teampass-web: image: dormancygrace/teampass:latest container_name: tp_web restart: unless-stopped environment: VIRTUAL_HOST: teampass.domain.local VIRTUAL_PORT: 80 volumes: - /var/tp:/var/www/html networks: - teampass-internal - backend depends_on: - db db: restart: unless-stopped image: yobasystems/alpine-mariadb:latest ports: - 3306:3306 environment: MYSQL_ROOT_PASSWORD: xxx MYSQL_DATABASE: teampass MYSQL_PASSWORD: xxxx MYSQL_USER: teampass volumes: - /var/tp-db:/var/lib/mysql networks: - teampass-internal
networks: frontend: backend: external: true teampass-internal:`
I receive the same problem.
curl -i -k -X POST --header "Content-Type: application/json" --data '{"apikey": "key", "user":"a.kopytin", "password":"pass"}' https://tp.antisleep.local/api/index.php/authorize
Response
HTTP/1.1 403 Forbidden
Server: nginx/1.22.1
Date: Fri, 20 Jun 2025 11:31:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SameOrigin
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
<h2>403 Access Forbidden by CSRFProtector!</h2>
I have exactly the same problem.
Using
curl -i -k -X POST -H "Content-Type: application/json" -d '{"apikey":"user_personal_api_token","login":"user_name","password":"user_pass"}' https://teampass.local/api/index.php/authorize
I got same answer as @slipmetal above.
Teampass version 3.1.4.36, PHP version 8.3, Nginx.
In teampass configuration API is enabled, user has assigned API rights (in fact this does not matter - response is the same whether right are on or off).
API never worked for me, I cannot authenticate. Last teampass update made 3 days ago (there were some API fixes in recent weeks).
Any hint what else can be checked or set? There is not much about API in https://documentation.teampass.net
In my case trouble will be in nginx configuration I forget add
location /api/ {
try_files $uri $uri/ /api/index.php?$args;
}