kratos
kratos copied to clipboard
ory
Admin Session Extension Route Blocked by CSRF
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [X] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
In our FE app that communicates with a self-hosted ory kratos sever, we have need to extend a user session on activity.
We attempt to do this by calling ory.adminExtendSession with the existing session id, but this returns a CSRF error.
We also tried testing with a curl command but results were the same.
After discussing with some of the devs on Slack(thank you @jonas-jonas, @aeneasr, @Benehiko) we found that there was is that this particular admin path is not being handled correctly.
I am not familiar with Go at all so I do not feel comfortable making a pr myself but am opening this issue as maybe someone else might do it.
Reproducing the bug
- Follow the examples to set up a FE ory client using
@ory/clientand@ory/integrations. - Get an session using
toSession. - Use
adminExtendSessionwith the resulting session id.
Relevant log output
{
"id": "security_csrf_violation",
"code": 403,
"status": "Forbidden",
"request": "bac7d4f7-084b-449d-bdcd-9f3065a13838",
"reason": "Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
"details": {
"docs": "https://www.ory.sh/kratos/docs/debug/csrf",
"hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
"reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
},
"message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
}
Relevant configuration
No response
Version
0.23.1
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response
Since its duplicate is closed as "not planned" I wonder if this bug is gonna be fixed or not.... Can somebody from the team comment on it?
Thank you.
@eli-wand GitHub only allows to close as completed or not-planned.
This is obviously a bug. So it's definitely on the roadmap.
