Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Minor
Fix Version/s: 2.11.1 GA
Affects Version/s: 2.10 GA
Component/s: System
Labels:
- 2.11.1-candidate-1

Blocked:
False
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Release Note Text:
undefined
Target Release:

2.11.1 CR1
Steps to Reproduce:
1. Create new access token with all permissions/scopes
2. Go to 3scale API Docs page
3. Send Backend create request with the token
4. Reload admin portal page
5. See it requires login

SFDC Cases Counter:
SFDC Cases Links:

Description

Some api calls trough API Docs page cause session to log out. Doesn't happen while using the curl command.

Known to cause this:

Backend create/delete/update
Field definitions update/delete

In the logs (attached below) for system-provider shows:

... Can't verify CSRF token authenticity.
... Destroying user session {id}

Where id is filled AND actually logs out when used trough API Docs page. When using curl the id is missing and doesn't cause log out.

Dev notes

Every endpoint in the API Docs page which returns json and uses different HTTP methods than GET will trigger the destruction of the session.

The easiest fix is to disable the CSRF protection for json requests. However, this is not optimal.
We should fix the communication between the backend and frontend so it won't destroy the user session.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

report.log
3 kB
2021/08/24 3:56 PM

Activity

People

Assignee:: Unassigned

Reporter:: Alexander Zgabur

Tester:: Alexander Zgabur

Developer:: Jakub Smadis (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021/08/24 4:28 PM

Updated:: 2022/01/12 9:58 AM

Resolved:: 2021/12/16 6:03 PM