Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 Access Forbidden by CSRFProtector #4148

Open
shanima333 opened this issue Apr 18, 2024 · 1 comment
Open

403 Access Forbidden by CSRFProtector #4148

shanima333 opened this issue Apr 18, 2024 · 1 comment

Comments

@shanima333
Copy link

shanima333 commented Apr 18, 2024
edited

Teampass version: 3.1.2.29
PHP version: 8.2.7

I'm encountering a "403 Access Forbidden by CSRFProtector!" error while attempting to authorize the API. Below is the content of my csrfp.config.php file.

`<?php
/**

  • Configuration file for CSRF Protector
    */

return array(
"CSRFP_TOKEN" => "7e637*********ed10876f3",
"logDirectory" => "../log",
"failedAuthAction" => array(
"GET" => 0,
"POST" => 0),
"errorRedirectionPage" => "",
"customErrorMessage" => "",
"jsPath" => "../js/csrfprotector.js",
"jsUrl" => "http://teampass.domain.local/includes/libraries/csrfp/js/csrfprotector.js",
"tokenLength" => 50,
"cookieConfig" => array(
"expire" => '',
"path" => '',
"domain" => '',
"secure" => true,
"httponly" => true,
"samesite" => "Lax", // None || Lax || Strict
),
"disabledJavascriptMessage" => "This site attempts to protect users against <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
Cross-Site Request Forgeries attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
See details of your web browser for how to enable JavaScript.",
"verifyGetFor" => array("type=duo_check", "upload.attachments.php", "upload.files.php", "type=ga_generate_qr")
);`

I'm using the following command to authorize the API:

`curl -L -X POST \

http://teampass.domain.local/api/index.php/authorize
-H 'Content-Type: application/json'
-d '{
"apikey": "Kx",
"login": "test",
"password": "8zY***"
}'

docker-compose.yaml

`version: "3"
services:
nginx:
image: jwilder/nginx-proxy:alpine
container_name: tp_nginx
restart: unless-stopped
networks:
- frontend
- backend
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro

teampass-web:
image: dormancygrace/teampass:latest
container_name: tp_web
restart: unless-stopped
environment:
VIRTUAL_HOST: teampass.domain.local
VIRTUAL_PORT: 80
volumes:
- /var/tp:/var/www/html
networks:
- teampass-internal
- backend
depends_on:
- db
db:
restart: unless-stopped
image: yobasystems/alpine-mariadb:latest
ports:
- 3306:3306
environment:
MYSQL_ROOT_PASSWORD: xxx
MYSQL_DATABASE: teampass
MYSQL_PASSWORD: xxxx
MYSQL_USER: teampass
volumes:
- /var/tp-db:/var/lib/mysql
networks:
- teampass-internal

networks:
frontend:
backend:
external: true
teampass-internal:`
@justin77x
Copy link

did yousolved that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shanima333 @justin77x