Getting "CSRF verification failed" with Kiwi TCMS running from Docker

Question

I am running the Kiwi TCMS Docker image. When I attempt to login I get the error "CSRF verification failed. Request aborted.".

I do not see any place to set a CSRF token.

Answer 1

CSRF tokens are automatically set by the backend framework. You can find them as a hidden field inside HTML forms. When a web form is POSTed the token coming with the HTTP request is checked for validity. More info here: https://docs.djangoproject.com/en/4.0/ref/csrf/

Login via HTTP (and HTTPS) is already tested here: https://github.com/kiwitcms/Kiwi/blob/master/tests/test_http.sh#L12

The test function saved the current CSRF token into a file and then simulates the POST request (to avoid running a UI workflow).

Logging in via the web login form (both with HTTP and HTTPS) reports PASS: https://github.com/kiwitcms/Kiwi/runs/5470976307?check_suite_focus=true

In addition I've verified that when you start up the container as described in the documentation you can login, register new accounts and create a Product/Test Plan via a browser.

The problem doesn't seem to be in Kiwi TCMS or the latest version of Django because the default setup works fine as verified by manual and automated tests.

The referenced GitHub Issue states:

behind a reverse proxy with the environment variable KIWI_DONT_ENFORCE_HTTPS=true I am now seeing the following CSRF error.

In order to make any progress on this issue we need to see the complete reverse proxy setup. Otherwise we can't debug.

The same GitHub Issue also points out to https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins as a suspected root cause. Which states:

For a secure unsafe request that doesn't include the Origin header, the request must have a Referer header that matches the origin present in the Host header.

We also need to see the headers sent between the reverse proxy and the Kiwi TCMS container. If some of them are missing or mismatching that could be confusing the CSRF validation algorithm.

Action required: update the original question with the necessary details.

I will also ask the question What is your practical reason for disabling HTTPS ?

From what I've seen so far load balancers and reverse proxies can happily terminate SSL traffic with your chosen certificate and communicate with the Kiwi TCMS containers via HTTPS even when the actual container SSL certificate is self signed. In fact that's how public.tenant.kiwitcms.org is deployed. You don't gain anything by disabling HTTPS on the container.

Disclaimer: this answer has been provided by a Kiwi TCMS team core member.

Answer 2

You can deal with this error by mounting custom settings to your kiwi container.

Like this (for compose):

volumes:
 - ./kiwi_custom_settings.py:/venv/lib64/python3.8/site-packages/tcms_settings_dir/custom_settings.py

And contents of your./kiwi_custom_settings.py should look like:

CSRF_TRUSTED_ORIGINS = ["http://*.your.domain.com", "https://*.your.domain.com"]
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

You can use wildcards in CSRF_TRUSTED_ORIGINS or just specify single domain name. More details: https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

The second line is used to suppress message about insecure connection in kiwi.

I use the settings above for kiwi and nginx acme-companion.

Answer 3

Got this error too. I had kiwi behind IIS 10 with ARR. I had to set preserveHostHeader to true in order to make CSRF to work correctly.

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost