social-app-django icon indicating copy to clipboard operation
social-app-django copied to clipboard
verified publisher icon python-social-auth

CSRF on login

Open nijel opened this issue 8 years ago • 1 comments

The login URLs (login/<service>/) are not using CSRF protection, thus it's possible to authenticate users by following links from third party sites.

It can be simply fixed by adding @require_POST decorator on social_django.views.auth, but that will require all users to change their logins to use POST instead of GET which it used so far, so I'm not sure this is good change by default. Maybe having this as opt-it?

Anyway I've applied the decorator in urls for our case: https://github.com/WeblateOrg/weblate/commit/bfd2988e519d43b478987d204f20b53c4932b4a1#diff-926cd04e84cfd0cbeab80af203e8f6d0R36

Originally reported at HackerOne against Weblate.

nijel avatar May 02 '17 12:05 nijel

Hey!

It's been a long time with no answer to this question so I want to comment here to raise it up as we faced exactly the same issue that was reported by the @nijel

chinskiy avatar Jul 07 '22 13:07 chinskiy

Hey @nijel @chinskiy I opened a PR you can take a look if you would like

sultaniman avatar Sep 01 '23 15:09 sultaniman

I am trying this with social auth 5.4.0, have set SOCIAL_AUTH_REQUIRE_POST = True but still getting the CSRF Error

jasonm23 avatar Apr 13 '24 07:04 jasonm23