Skip to content

CSRF enforcement in v2.6.0 breaks RStudio IDE and other POST requests #11406

New issue
New issue
Closed
#11430
Closed
CSRF enforcement in v2.6.0 breaks RStudio IDE and other POST requests#11406
#11430
Labels
need-helpAssign this label prompts an engineer to check the issue. Only humans may set this.
@JensHeise

Description

@JensHeise
JensHeise
opened on Jan 4, 2024

Hello,

we have a template running code-server and RStudio as IDEs.
The v2.6.0 release seems to brake the RStudio IDE and all POST requests inside apps running in vscode.

We think we got it down to #11283 enforcing CSRF.
All requests to the Coder API are functional but inside the IDEs POST requests are not.
This is due to the X-CSRF-TOKEN header not being set on the other requests.

Is there some way to fix this on our side or should there maybe another exempt in coderd/httpmw/csrf.go for the URLs where apps are running, e.g. /@USER/test.instance/apps/?
Or maybe a switch to remove the enforcement of CSRF for now?
I'm not really experienced with CSRF so I'm looking forward to your help!

Expected Behavior

RStudio opens as usual, which it did before upgrading to v2.6.0.

Actual Behavior

RStudio does not start and throws the following error:
image

This can be backtraced to this POST call failing due to the coder CSRF protection kicking in.
Note that the rs-csrf-token and csrf-token cookies are from RStudio and the csrf_token cookie is from Coder

curl 'https://coder.example.com/@USER/test.instance/apps/rstudio/rpc/client_init' \
  -H 'authority: coder.example.com' \
  -H 'accept: application/json' \
  -H 'cookie: coder_signed_app_token=<REDACTED>; user-id=<REDACTED>; user-list-id=<REDACTED>; persist-auth=0; rs-csrf-token=853023c5-6fe8-428a-9984-547f927d34a0; csrf-token=853023c5-6fe8-428a-9984-547f927d34a0; csrf_token=jadP8iK3mcFW5T24bfmSPKGbiWEYzKxS8k4gc5HcVbo=; oauth_state=<REDACTED>; oauth_redirect=/; coder_session_token=<REDACTED>' \
  -H 'origin: https://coder.example.com' \
  -H 'referer: https://coder.example.com/@USER/test.instance/apps/rstudio/' \
  -H 'x-rs-csrf-token: 853023c5-6fe8-428a-9984-547f927d34a0' \
  -H 'x-rs-rid: -256097717' \
  --data-raw '{"method":"client_init", "params":["https://coder.example.com/@USER/test.instance/apps/rstudio/","unfj3yhzabbmh01252nbz5tmv6z1fl1k"], "kwparams":{"restore_workspace":2, "run_rprofile":2}, "clientVersion":""}' \
  --compressed

Response:
400 | Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.

When I set the X-CSRF-TOKEN header manually and resend the request, it gets through but RStudio still doesn't start...

Steps to Reproduce the Problem

  1. Setup template like described in documentation here
  2. Start workspace from template
  3. Start RStudio

Specifications

  • Version: v2.6.0
  • Platform: Linux
  • Subsystem: Ubuntu 22.04

Metadata

Metadata

Assignees

No one assigned

    Labels

    need-helpAssign this label prompts an engineer to check the issue. Only humans may set this.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions