Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF validation errors when OAuth is not enabled #30923

Closed
bohde opened this issue May 9, 2024 · 2 comments · Fixed by #30942
Closed

CSRF validation errors when OAuth is not enabled #30923

bohde opened this issue May 9, 2024 · 2 comments · Fixed by #30942
Assignees
@wxiaoguang
Labels
type/bug

Comments

@bohde
Copy link

bohde commented May 9, 2024

Description

When upgrading to 1.21, we began experiencing sporadic CSRF validation errors on form submissions. We run a multi-container Docker setup, and found this issue only happened when the container that issued the CSRF token was not the same container that handled the form submission. In investigating the container logs, we found the following log line which seems to be the root cause:

...es/setting/oauth2.go:164:GetGeneralTokenSigningSecret() [W] OAuth2 is not enabled, unable to use a persistent signing secret, a new one is generated, which is not persistent between restarts and cluster nodes

It is possible to reproduce without multiple containers, using the following steps:

  1. Run a server with the following in the config file:
[oauth2]
ENABLE = false
  1. Visit any form, such as repository settings, to have a CSRF token generated
  2. Restart the server
  3. Submit the form
  4. The user is now redirected to the home page, and the form submission did not work

It appears this log message, and the change to CSRF token generation was introduced in #29205

Gitea Version

1.21.11

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Multi-container Docker

Database

None
@bohde bohde added the type/bug label May 9, 2024
@wxiaoguang
Copy link
Contributor

Forgot to make a complete solution in 1.22 .... will do it.

@wxiaoguang wxiaoguang self-assigned this May 10, 2024
@wxiaoguang wxiaoguang mentioned this issue May 10, 2024
Closed
@wxiaoguang
Copy link
Contributor

-> Introduce general web secret #30929

@wxiaoguang wxiaoguang mentioned this issue May 11, 2024
Merged
wxiaoguang added a commit that referenced this issue May 14, 2024
@wxiaoguang
Always load or generate oauth2 jwt secret (#30942)
effb405 
Fix #30923
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue May 14, 2024
@wxiaoguang @GiteaBot
Always load or generate oauth2 jwt secret (go-gitea#30942)
b62eb5d 
Fix go-gitea#30923
@GiteaBot GiteaBot mentioned this issue May 14, 2024
Merged
lunny pushed a commit that referenced this issue May 14, 2024
@GiteaBot @wxiaoguang
Always load or generate oauth2 jwt secret (#30942) (#30978)
5b7e54f 
Backport #30942 by @wxiaoguang

 Fix #30923

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wxiaoguang wxiaoguang

Labels
type/bug
Projects
None yet
Milestone
No milestone
2 participants
@bohde @wxiaoguang