Re: [Snowy] OAuth - CSRF verification failed

From: Sandy Armstrong <sanfordarmstrong gmail com>
To: Eric Kerby <eric epkphoto com>
Cc: Snowy List <snowy-list gnome org>
Subject: Re: [Snowy] OAuth - CSRF verification failed
Date: Sun, 28 Mar 2010 10:54:23 -0700

This seems quite strange.  I'm looking at the commit where Leon made
our API resources CSRF-exempt:

http://git.gnome.org/browse/snowy/commit/?id=93b27ce1308822ad8e66e94d21d485787241dd16

But Eric is receiving a failure when requesting a token, not when
accessing an API URL. I wonder if some similar fix is required for the
OAuth-related URLs?  But I'm not sure what.

This is probably not related, but Eric, have you double-checked that
you have anyone/anyone set as the consumer key/secret?  And also, can
you verify that you really are using the absolute latest version of
snowy from git?

Thanks,
Sandy

On Sat, Mar 27, 2010 at 10:24 PM, Eric Kerby <eric epkphoto com> wrote:
> Here's some more info:
>
> Tomboy versions tried - 1.1.4 (Mac OS X) and 1.0.0 (Ubuntu 9.10)
>
> Snowy deployment
>    Django (tried both subversion checkout of trunk and 1.1.1 via apt-get)
>    Deployed under Apache with mod-python and run with built in webserver
> with same results
>    Snowy head version checked out via git
>    Used both MySQL and SQLite databases with same results
>
> Contents of http://10.2.3.189:8000/api/1.0
> {
>    "oauth_access_token_url": "http://10.2.3.189:8000/oauth/access_token/";,
>    "api-version": "1.0",
>    "oauth_request_token_url": "http://10.2.3.189:8000/oauth/request_token/";,
>    "oauth_authorize_url": "http://10.2.3.189:8000/oauth/authenticate/";
> }
>
> I have been testing this in a VirtualBox VM as well as in an OpenVZ
> container...both of which act normally otherwise.  The Django install in the
> OpenVZ container also works well for other non-snowy Django sites.
>
> For the sqlite instance, the local_settings.py file was unchanged from the
> git version.
>
> Site configured in snowy/django admin:
>    Domain name: 10.2.3.189:8000
>    Display name: Eric's Notes
> (if I change the server to run on 127.0.0.1:8000, it works...no dice on
> 10.2.3.189, though the web frontend still works)
>
> Anything else you all think might be useful?
>
> -Eric
>
>
> On 3/27/10 6:48 PM, Benoit Garret wrote:
>>
>> Hi Eric,
>>
>> What you report is strange, CSRF seems to be explicitly disabled in
>> the Snowy API. COuld you post some more information about your setup
>> (Tomboy version, Snowy deployment method, contents of
>> http://yourhostname/api/1.0, and generally anything you think could be
>> useful)?
>>
>> Benoît
>>
>>
>>
>> On Sat, Mar 27, 2010 at 5:28 PM, Eric Kerby<eric epkphoto com>  wrote:
>>
>>>
>>> I'm quite excited about using snowy to synchronize notes.  Unfortunately,
>>> I
>>> have been having a bit of trouble getting everything working.
>>>
>>> I'm using Ubuntu and have tried both Django trunk and Django version
>>> 1.1.1
>>> with the same results.  When I set up snowy on the same host as the
>>> Tomboy
>>> client, it works great.  Notes synchronize, and all seems well.
>>>
>>> When I then start the snowy server bound to an IP accessible outside of
>>> that
>>> box (ie, not 127.0.0.1), change the domain of the site in the snowy admin
>>> to
>>> either the IP address or hostname (plus :8000) and try to synchronize
>>> from a
>>> separate computer, the following happens when I click "Connect to server"
>>> in
>>> Tomboy:
>>>
>>> HTTP requests:
>>>    [27/Mar/2010 12:25:14] "GET /api/1.0 HTTP/1.1" 301 0
>>>    [27/Mar/2010 12:25:14] "GET /api/1.0/ HTTP/1.0" 200 258
>>>    [27/Mar/2010 12:25:14] "POST /oauth/request_token/ HTTP/1.0" 403 1654
>>> That last one (POST /oauth/request_token/) returns a 403 error and if I
>>> perform a tcpdump, I can see that in the 403 packet that is returned,
>>> django
>>> complains that the "CSRF verification failed".  It also says "No CSRF or
>>> session cookie".
>>>
>>> Any ideas?  I'm going to delve into the code and see if I can discover
>>> anything, but I'm no Django expert...
>>>
>>> Thanks,
>>> Eric
>>> _______________________________________________
>>> Snowy-list mailing list
>>> Snowy-list gnome org
>>> http://mail.gnome.org/mailman/listinfo/snowy-list
>>>
>>>
>>>
>
> _______________________________________________
> Snowy-list mailing list
> Snowy-list gnome org
> http://mail.gnome.org/mailman/listinfo/snowy-list
>

Follow-Ups:
- Re: [Snowy] OAuth - CSRF verification failed
  - From: Eric Kerby

References:
- [Snowy] OAuth - CSRF verification failed
  - From: Eric Kerby
- Re: [Snowy] OAuth - CSRF verification failed
  - From: Benoit Garret
- Re: [Snowy] OAuth - CSRF verification failed
  - From: Eric Kerby

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]