Redmine: 422 invalid form authenticity token - ruby

I'm using this plugin to enable SSO between my IDP and redmine. Purpose is to avoid re entering username and password when login to the redmine. Both Redmine and the IDP connected to an external LDAP. Problem is after redirecting back to the redmine from my IDP (after entering username & password), It's giving this error.
Redmine version: 2.5.2,
Ruby version: 1.9.3,
Rails version: 3.2.19

Some details for Redmine 3.4.2
If you get an error 422 (Can't verify CSRF token authenticity),
you must go to controller file
/app/controller/aplication_controller.rb
and remove or comment string with code
render_error :status => 422, :message => "invalid form authenticity token."
then add code
redirect_back_or_default(home_path)
So, your code will be like this
# render_error :status => 422, :message => "invalid form authenticity token."
redirect_back_or_default(home_path)

For us, this error appeared when an already logged-on user tried to re-logon (eg. using multiple browser tabs).
The solution is here, patch application_controller.rb:
- render_error "Invalid form authenticity token."
+ redirect_back_or_default home_path

It happened to us when using a reverse-proxy SSO. The configured name in the SSO was not with the same case than the user name within Redmine.
Extract from nginx configuration :
# Pass the user to that stupid Passenger Phusion
# that cannot evaluate variables like $http_x_forwarded_user
passenger_env_var REMOTE_USER nicolasm;
And our user name in Redmine was NicolasM.
Removing security as suggested by other answers is not a long lasting solution.

Related

Why does Google 2FA (libpam) not work in opensuse

I have a little problem with google_authenticator_libpam in openSUSE. I have tryied to find the Problem myselfe, but nothing worked. I have tested it on two systems. I installed the package google_authenticator_libpam. After that i editet the file:"/etc/pam.d/sshd"
#%PAM-1.0
auth required pam_google_authenticator.so noskewadj echo_verification_code nullok
auth requisite pam_nologin.so
#auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
session optional pam_keyinit.so force revoke
~
And I editet the file: "/etc/ssh/sshd_config" (Added)
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive,password
And finally i restarted the sshd service.
After those steps the SSH-Promt asks for the Verification key. When I enter the correct key, the log file: "/var/log/message" said "Invalid verification code"
My time is correct too.
Can anyone help me?
~

Rest-Client gem RoR, Getting SSL wrong version error

I want to build a cli ruby app which sends requests to Rails API server. I wanted to use rest-client gem to do that. Every time i use
RestClient.post
I get the following error
SSL_connect returned=1 errno=0 state=error: wrong version number (OpenSSL::SSL::SSLError)
Is there anything i can do for it to run from the console? The code is pretty simple, I just wanted to test out the feature, so don't worry, that's not final.
I am running rails 6.0.3, ruby 2.6.3.
require "tty-prompt"
prompt = TTY::Prompt.new
require 'rest-client'
if prompt.yes? "Do you have an account ?"
email = prompt.ask('What is your email?') do |q|
q.validate(/\A\w+#\w+\.\w+\Z/, 'Invalid email address')
end
pass = prompt.mask('password:')
puts email
puts pass
RestClient.post "https://localhost:3000/auth/sign_in", "email: #{email},password:#{pass}"
puts response.code
else
RestClient.post "https://localhost:3000/auth", "email: #{email},password:#{pass}"
end
I would like for the cli app to send a request to API, That's it, rest-client doesn't want to cooperate with me. Thank You :D
Likely the port 3000 you access is only http:// and not https://. Accessing a plain http:// port with https:// will cause the client to interpret the servers HTTP error message (since the beginning of the TLS handshake sent by the client was not valid HTTP) wrongly as HTTPS which can result in strange errors like invalid packet length or also wrong version number.

ruby rest-client ipv6 request failure with Apache 2.2.31

I've been stuck with this for about two days...
I use ruby(version 2.3.3p222) gem rest-client(v2.0.0) to send a GET request with a ipv6 url to the server (Apache/2.2.31):
url = 'https://[fd36:4928:8040:dc10:0000:0000:0000:0160]:8080/resources/1'
resource = RestClient::Resource.new(url, :ssl_version => 'TLSv1', :verify_ssl => false, :headers => {'Authorization' => 'Basic cm9vdDAbCdEfwYXNzMSE='})
resource.get
I got a 400 bad response and the body says:"Your browser sent a request that this server could not understand. Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request"
However I can use curl command with the same parameters and get the right response, so I suspect maybe it's something wrong with the header of my rest-client request.
PS: I also tested with adding the 'host'
header: {'Authorization' => 'Basic cm9vdDAbCdEfwYXNzMSE=', 'host' => '[fd36:4928:8040:dc10:0000:0000:0000:0160]:8080' }
It still failed with the same bad response.
I just noticed the appache error for this request, it says:
"httpd[29124]: [error] Hostname fd36:4928:8040:dc10:0000:0000:0000:0160 provided via SNI and hostname fd36:4928:8040:dc10:0000:0000:0000 provided via HTTP are different
"
The curl command you supplied would translate --user admin:password into the following header:
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
However, you're sending
Basic: cm9vdDAbCdEfwYXNzMSE=
which is not the same thing... so the server is probably complaining about not getting the correct auth...
After debugging and googling for another day, this problem seems to be clear:
From a similar bug report to chrome https://bugs.chromium.org/p/chromium/issues/detail?id=500981, "SNI is only hostnames, and should never contain IPs.". However ruby does use ip as hostname (in this case rest-client is nothing to blame since it just delegate everything down to ruby lib). You can find evidence in Net::HTTP#connect (around line 922):
# Server Name Indication (SNI) RFC 3546
s.hostname = #address if s.respond_to? :hostname=
Just comment out the last line it will work (to workaround this you have to do a monkey patch). Additionally, as pointed out by #alberge, host header does not contain brackets, the final request host header is like this: "FD36:4928:8040:DC10::162", no "[ ]" around.
Also on Apache side, it does something wrong since it just strips off everything from the last colon to get the host name without any extra check- this still exists in version 2.4.10, not sure if it is fixed or not.
This appears to be either a bug in rest-client or a regression in Ruby Net::HTTP.
https://github.com/rest-client/rest-client/issues/583
What version of Ruby are you using? Have you tried using Ruby 2.1 to see if it works there?
EDIT:
This is Ruby Bug #12642. The Host header for an IPv6 address is sent with no enclosing [ ].
Ruby in 2.1.6 - 2.1.10 doesn't have the bug, but versions >= 2.2.0 are affected.
And worse still, there's a bug with setting an explicit IPv6 Host header so you get an exception URI::InvalidComponentError: bad component(expected host component): [

Credentials issues using the rt-client rubygem (rest interface to request tracker ticket system)

I am having issues using the rt-client gem(link), as it keeps returning a "RT/4.0.8 401 Credentials Required". The REST interface for this site is working, as I have some perl scripts that are currently working with it in a similar fashion.
test.rb
#!/usr/bin/env ruby
require 'rt/client'
rt = RT_Client.new
id = rt.create( :Queue => "General",
:Subject => "Test",
:Requestor => "test#example.org",
:Text => "Ignore me"
)
.rtclientrc
server=http://example.org/
user=exampleuser
pass=examplepass
cookies=tmp
Versions
Gem Version: rt-client-0.5.0
RT Version: 4.0.8
Ruby Version: 1.9.3p327
Output
Payload for new ticket:
------xYzZY492386xYzZY
Content-Disposition: form-data; name="content";
Queue: General
Subject: Test
Requestor: test#example.org
Text: Ignore me
id: ticket/new
------xYzZY492386xYzZY--
"RT/4.0.8 401 Credentials required\n"
I am seeing the error when I do a "puts id.inspect" at the bottom of test.rb, as the ticket is not getting created.
Is this perhaps an issue with the handling of cookies? I was trying to avoid writing a custom solution in Net::HTTP if possible, but I will go that route if this continues to be a hassle.
Author of the rt-client ruby gem here.
This was resolved some time ago and I know this is old, but it is ranked highly in a Google search for the gem. If anyone finding this question still has issues with rt-client, the gem is now on github.com. If you wish, please clone it, make your fix and send me a pull request.
https://github.com/uidzip/rt-client

Omniauth authentication fails in Rails 4

I am working in rails 4 and I am trying to authenticate using github. So in my Github application I have this:
URL: http:// localhost:4000
Callback URL: http:// localhost:4000/auth/github/callback
The callback url is the url that Github will try to reach when the authentication is done right?
So why do I get a Github page 404 error when I click on my link:
<%= link_to 'Sign in with Github', '/auth/github' %>
I am working on a localhost development enviroment so that might be the problem?
Also when i type http:// localhost:4000/auth/github/callback on my browser I get an OmniAuth::Strategies::OAuth2::CallbackError
why? I have this in my routes.rb
post 'auth/:provider/callback' => 'home#index'
Is Rails 4 and Omniauth bugged?
(added the space in localhost so stackoverflow accepts my post)
I have github working with the gem omniauth-github
and a file config/initializers/omniauth.rb containing
Rails.application.config.middleware.use OmniAuth::Builder do
provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET']
end
However, when I enter http://localhost:3000/auth/github/callback on my browser I also get OmniAuth::Strategies::OAuth2::CallbackError so this shouldn't be the problem.
My config/environment.rb looks like
# Load the rails application
require File.expand_path('../application', __FILE__)
# Load the app's custom environment variables here, so that they are loaded before environments/*.rb
app_environment_variables = File.join(Rails.root, 'config', 'app_environment_variables.rb')
load(app_environment_variables) if File.exists?(app_environment_variables)
...
and my config/app/environment_variables.rb looks like
# OAuth Keys and Secrets
if Rails.env.production?
ENV['GITHUB_KEY'] = 'd1234a3a123a1a3a123c'
ENV['GITHUB_SECRET'] = '1234azer123azer1231209jeunsghezkndaz1234'
else
ENV['GITHUB_KEY'] = 'qsflkjkj685bg554456b'
ENV['GITHUB_SECRET'] = 'qslkfj7757kqfmlsdh675hlfsd587kjfdh687jsd'
end
See Is it possible to set ENV variables for rails development environment in my code? for more details on that.
I have 2 applications registered on github. One app_name-dev with key qsflk..., url http://localhost:3000 and callback url http://localhost:3000/auth/github/callback and one app_name with key d1234a....
Check that you have done that correctly. Maybe try to change localhost to 127.0.0.1.
For me it was Github's new stricter URI matching that was producing a 404 when trying to redirect to http://localhost:3000/auth/github/callback, I solved it by passing the redirect URI as a parameter with Omniauth.
Rails.application.config.middleware.use OmniAuth::Builder do
provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'],
:scope => 'user,public_repo',
:redirect_uri => ENV['GITHUB_REDIRECT']
end
If your on Linux/Mac you can add environment variables from the command line.
$ export GITHUB_REDIRECT=http://localhost:3000/auth/github/callback
Alternatively, you could use something like Foreman that will let you add a .env file which you can use to store your variables in.
Just remember to add the appropriate redirect URI to your production environment's variables, and you're good, to go.

Resources