OpenChat icon indicating copy to clipboard operation
OpenChat copied to clipboard

Published 20 hours ago verified publisher icon openchatai

Verify CSRF / embedding

Open Antazia opened this issue 1 year ago • 3 comments

Hello, I just uploaded the docker on a VPS and changed every variable related to localhost to my server IP.

The embedding on another external website, then, is only working when I remove VerifyCSRFToken from the middlewaregroup.

I can't understand why, as send-message and /chat are excluded from the group (by default) and routes are also excluding it.

But with VerifyCSRFToken I get error 419 related to send-message:1.

Could you give me a fast explanation of the problem ? (It's happening even with default config, just changed the localhost address for chat.css/chat.js

Thanks!

Antazia avatar Jun 25 '23 16:06 Antazia

Thanks for reporting this, Indeed it's not and optimal situation, it happens because we use iFrame instead of JS/APIs, which effectively mean we are sessions based, and we do send POST requests.

For now, I think your fix of adding it to the exclude list will work.

This week we will replace the whole chat widget with a much better one, and this problem will be solved too :)

gharbat avatar Jun 26 '23 22:06 gharbat

Are you releasing it on the github repo or only in openchat.so?

Thanks :)

Antazia avatar Jun 26 '23 22:06 Antazia

Both :)

gharbat avatar Jun 26 '23 23:06 gharbat

Fixed in https://github.com/openchatai/OpenChat/releases/tag/0.31

gharbat avatar Jul 09 '23 17:07 gharbat