diff --git a/awx/api/authentication.py b/awx/api/authentication.py index f0d345e444..9dfb883ac3 100644 --- a/awx/api/authentication.py +++ b/awx/api/authentication.py @@ -39,9 +39,6 @@ class SessionAuthentication(authentication.SessionAuthentication): def authenticate_header(self, request): return 'Session' - def enforce_csrf(self, request): - return None - class LoggedOAuth2Authentication(OAuth2Authentication): diff --git a/awx/api/views.py b/awx/api/views.py index c6cb9cb0c0..9b03df1d39 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -24,7 +24,8 @@ from django.shortcuts import get_object_or_404 from django.utils.encoding import smart_text from django.utils.safestring import mark_safe from django.utils.timezone import now -from django.views.decorators.csrf import csrf_exempt +from django.utils.decorators import method_decorator +from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie from django.template.loader import render_to_string from django.http import HttpResponse from django.contrib.contenttypes.models import ContentType @@ -229,6 +230,7 @@ class ApiRootView(APIView): versioning_class = None swagger_topic = 'Versioning' + @method_decorator(ensure_csrf_cookie) def get(self, request, format=None): ''' List supported API versions ''' diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index f0f4d68b88..b159ef3d61 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -207,6 +207,8 @@ SESSION_COOKIE_AGE = 1209600 # Note: This setting may be overridden by database settings. SESSIONS_PER_USER = -1 +CSRF_USE_SESSIONS = False + # Disallow sending csrf cookies over insecure connections CSRF_COOKIE_SECURE = True diff --git a/awx/ui/client/src/login/authenticationServices/authentication.service.js b/awx/ui/client/src/login/authenticationServices/authentication.service.js index 6285d8d43c..fa7ff2a2fa 100644 --- a/awx/ui/client/src/login/authenticationServices/authentication.service.js +++ b/awx/ui/client/src/login/authenticationServices/authentication.service.js @@ -42,21 +42,13 @@ export default return $rootScope.userLoggedIn; }, retrieveToken: function (username, password) { - var getCSRFToken = $http({ - method: 'GET', - url: `/api/login/` - }); - - return getCSRFToken.then(function({data}) { - var csrfmiddlewaretoken = /name='csrfmiddlewaretoken' value='([0-9a-zA-Z]+)' \//.exec(data)[1]; - return $http({ - method: 'POST', - url: `/api/login/`, - data: `username=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}&csrfmiddlewaretoken=${csrfmiddlewaretoken}&next=%2fapi%2f`, - headers: { - 'Content-Type': 'application/x-www-form-urlencoded' - } - }); + return $http({ + method: 'POST', + url: `/api/login/`, + data: `username=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}&next=%2fapi%2f`, + headers: { + 'Content-Type': 'application/x-www-form-urlencoded' + } }); }, deleteToken: function () { diff --git a/awx/ui/client/src/rest/interceptors.service.js b/awx/ui/client/src/rest/interceptors.service.js index 0671702e88..b02013d435 100644 --- a/awx/ui/client/src/rest/interceptors.service.js +++ b/awx/ui/client/src/rest/interceptors.service.js @@ -11,11 +11,14 @@ *************************************************/ export default - [ '$rootScope', '$q', '$injector', - function ($rootScope, $q, $injector) { + [ '$rootScope', '$q', '$injector', '$cookies', + function ($rootScope, $q, $injector, $cookies) { return { request: function (config) { config.headers['X-Requested-With'] = 'XMLHttpRequest'; + if (['GET', 'HEAD', 'OPTIONS'].indexOf(config.method)===-1) { + config.headers['X-CSRFToken'] = $cookies.get('csrftoken'); + } return config; }, response: function(config) {