properly enforce CSRF validation

see: https://github.com/ansible/tower/issues/2339

awx/api/authentication.py

@@ -39,9 +39,6 @@ class SessionAuthentication(authentication.SessionAuthentication):
     def authenticate_header(self, request):
         return 'Session'
 
-    def enforce_csrf(self, request):
-        return None
-
 
 class LoggedOAuth2Authentication(OAuth2Authentication):
 

awx/api/views.py

@@ -24,7 +24,8 @@ from django.shortcuts import get_object_or_404
 from django.utils.encoding import smart_text
 from django.utils.safestring import mark_safe
 from django.utils.timezone import now
-from django.views.decorators.csrf import csrf_exempt
+from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from django.template.loader import render_to_string
 from django.http import HttpResponse
 from django.contrib.contenttypes.models import ContentType
@@ -229,6 +230,7 @@ class ApiRootView(APIView):
     versioning_class = None
     swagger_topic = 'Versioning'
 
+    @method_decorator(ensure_csrf_cookie)
     def get(self, request, format=None):
         ''' List supported API versions '''
 

awx/settings/defaults.py

@@ -207,6 +207,8 @@ SESSION_COOKIE_AGE = 1209600
 # Note: This setting may be overridden by database settings.
 SESSIONS_PER_USER = -1
 
+CSRF_USE_SESSIONS = False
+
 # Disallow sending csrf cookies over insecure connections
 CSRF_COOKIE_SECURE = True
 

awx/ui/client/src/login/authenticationServices/authentication.service.js

@@ -42,21 +42,13 @@ export default
                 return $rootScope.userLoggedIn;
             },
             retrieveToken: function (username, password) {
-                var getCSRFToken = $http({
+                return $http({
-                    method: 'GET',
+                    method: 'POST',
-                    url: `/api/login/`
+                    url: `/api/login/`,
-                });
+                    data: `username=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}&next=%2fapi%2f`,
-
+                    headers: {
-                return getCSRFToken.then(function({data}) {
+                        'Content-Type': 'application/x-www-form-urlencoded'
-                    var csrfmiddlewaretoken = /name='csrfmiddlewaretoken' value='([0-9a-zA-Z]+)' \//.exec(data)[1];
+                    }
-                    return $http({
-                        method: 'POST',
-                        url: `/api/login/`,
-                        data: `username=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}&csrfmiddlewaretoken=${csrfmiddlewaretoken}&next=%2fapi%2f`,
-                        headers: {
-                            'Content-Type': 'application/x-www-form-urlencoded'
-                        }
-                    });
                 });
             },
             deleteToken: function () {

awx/ui/client/src/rest/interceptors.service.js

@@ -11,11 +11,14 @@
   *************************************************/
 
  export default
-    [ '$rootScope', '$q', '$injector',
+    [ '$rootScope', '$q', '$injector', '$cookies',
-        function ($rootScope, $q, $injector) {
+        function ($rootScope, $q, $injector, $cookies) {
             return {
                 request: function (config) {
                     config.headers['X-Requested-With'] = 'XMLHttpRequest';
+                    if (['GET', 'HEAD', 'OPTIONS'].indexOf(config.method)===-1) {
+                        config.headers['X-CSRFToken'] = $cookies.get('csrftoken');
+                    }
                     return config;
                 },
                 response: function(config) {