Make Services CSRF token URL configurable [#2135311]

When a session is established using Services, a client intending to do modifying actions must request a CSRF token which is then included in subsequent requests. The Services module provides the path /services/session/token which returns the token for the session. Deploy currently grabs this token but uses hard coded assumptions:

That the endpoint starts at the root of the domain (i.e. not in a subdirectory).
That the path is /services/session/token

This means that Drupal installations installed in subdirectories, e.g. example.com/mydrupal cannot be used as endpoints. I found this to be annoying when doing testing as I did not want to setup a new subdomain or port on the web server.

The relevant code are lines 64 - 90 of plugins/DeployAuthenticatorSession.inc.

I couldn't think of a good way to automatically determine the proper URL, so making it configurable is the next best option. Since it the authenticator that logs in and grabs the token, it makes sense to me to add a form field for specifying the CSRF token request URL as part of the authenticators configuration. This creates some minor user experience issues as site builders need to enter one URL for the CSRF token and another URL in the Service config for the API endpoint.

Comment	File	Size	Author
#10	deploy-csrf_token_url-2135311-10.patch	676 bytes	CoderBrandon
#10
#8	deploy-csrf_token_url-2135311-8.patch	805 bytes	mrmikedewolf
#8
#5	deploy-configurable-csrf-token-url-2135311-5.patch	4.19 KB	jneubert
#5
#4	deploy-configurable-csrf-token-url-2135311-2.patch	3.78 KB	thtas
#4
#1	deploy-configurable-csrf-token-url-2135311-1.patch	3.99 KB	CalebD
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

CalebD CreditAttribution: CalebD commented 13 November 2013 at 20:58

File	Size
deploy-configurable-csrf-token-url-2135311-1.patch	3.99 KB

Attached is a patch which adds a form field to the session authenticator for the token CSRF URL. It also provides an update function to update existing endpoints. I also adjusted the authentication config for tests, but haven't run the tests.

Comment #2

runeasgar CreditAttribution: runeasgar commented 11 March 2014 at 21:23

For clarity, right now if you are trying to connect to an endpoint that is in a subdirectory (localhost/whatever) the CSRF request will fail, because the $token_url is formed using $parts['host'], and the subdirectory ends up in $parts['path'] - which isn't used to form $token_url.

I encountered this issue while prototyping Deployment locally and had to dig through the code to find a way to fix it.

Does this patch resolve that issue?

Comment #3

thtas CreditAttribution: thtas commented 25 April 2014 at 03:03

@runeasgar yes it does.

Good patch - but may need to be re-rolled for later version of deploy

Comment #4

thtas CreditAttribution: thtas commented 28 April 2014 at 23:54

File	Size
deploy-configurable-csrf-token-url-2135311-2.patch	3.78 KB

Here is a patch against 7.x-2.0-alpha2

Comment #5

jneubert CreditAttribution: jneubert commented 24 April 2015 at 16:45

File	Size
deploy-configurable-csrf-token-url-2135311-5.patch	4.19 KB

Re-rolled against 7.x-2.0-alpha3 - worked for me. Not yet tested extensively.

Comment #6

Viacom CreditAttribution: Viacom commented 16 July 2015 at 13:19

Edit: sorry, logged in on the corporate account. Reposting.

Comment #7

reevo CreditAttribution: reevo at Viacom International Media Networks commented 16 July 2015 at 14:00

I've been looking into this issue as am working on a site which lives under a subdirectory, however have discovered as part of my investigations that the token is actually returned as part of the response to the login request, which makes the additional 'services/session/token' request unnecessary:


$response_data = Array
(
    [sessid] => XXXXXXXXXXX
    [session_name] => XXXXXXXXXXX
    [token] => XXXXXXXXXXX
    [user] => Array()
)

And here it is in Services:

http://cgit.drupalcode.org/services/tree/resources/user_resource.inc?h=7...

edit: I'm not functioning properly today. Issue is addressed in #2388119: Get CSRF token from /user/login endpoint

Comment #8

mrmikedewolf CreditAttribution: mrmikedewolf commented 17 August 2015 at 22:28

File	Size
deploy-csrf_token_url-2135311-8.patch	805 bytes

Here is a much more lightweight alternative. Just provide an alter hook.

Comment #9

skwashd CreditAttribution: skwashd at Dave Hall Consulting for Pfizer, Inc. commented 5 September 2015 at 11:46

Status:	Needs review	» Postponed
Related issues:		+#2388119: Get CSRF token from /user/login endpoint

I've reviewed this issue and #2388119: Get CSRF token from /user/login endpoint. I am marking this as postponed with a high probability of it being closed and marked as wontfix in favour of #2388119.