Purpose of token length check against CSRF_SECRET_LENGTH?

[scott2b]

Hi all,

In reference to this code in the CSRF middleware

Perhaps someone can explain the purpose of this length check? And maybe if it is somehow affected by configuration or settings? I have been unable to get CSRF working -- it consistently fails despite having matching tokens between the form and cookie -- and as best as I can tell, this check of the token length is the culprit. For both the form token, and the cookie, _decode_csrf_token is returning None, and _csrf_tokens_match is returning False despite being equivalent strings.

Here is my pdb session for reference:

(Pdb) existing_csrf_token
'IlBXSnFBd0FnOEFJZGx0SHYi.gf3NfENcBawnDpHbuU1Y5m6al8o'
(Pdb) csrf_cookie
'IlBXSnFBd0FnOEFJZGx0SHYi.gf3NfENcBawnDpHbuU1Y5m6al8o'
(Pdb) self._csrf_tokens_match(existing_csrf_token, csrf_cookie)
False
(Pdb) type(existing_csrf_token)
<class 'str'>
(Pdb) type(csrf_cookie)
<class 'str'>
(Pdb) decoded_request_token = self._decode_csrf_token(existing_csrf_token)
(Pdb) decoded_cookie_token = self._decode_csrf_token(csrf_cookie)
(Pdb) decoded_request_token
(Pdb) decoded_cookie_token
(Pdb) CSRF_SECRET_LENGTH
64
(Pdb) len(existing_csrf_token)
52
(Pdb) len(csrf_cookie)
52

I appreciate any help on this. Thanks!

[Goldziher]

Can you provide a reproduction of the failure?

[scott2b]

Yes. Thanks.

main.py

from dataclasses import dataclass
from pathlib import Path
from typing import Annotated, Any
from litestar import Litestar
from litestar import get, post
from litestar import Request, MediaType
from litestar.config.csrf import CSRFConfig
from litestar.contrib.jinja import JinjaTemplateEngine
from litestar.template.config import TemplateConfig
from litestar.response import Template
from litestar.middleware.session.server_side import (
    ServerSideSessionBackend,
    ServerSideSessionConfig,
)
from litestar.security.session_auth import SessionAuth
from litestar.enums import RequestEncodingType
from litestar.params import Body
from litestar.response import Redirect
from litestar.middleware import (
    AbstractAuthenticationMiddleware,
    AuthenticationResult,
)
from litestar.connection import ASGIConnection
from litestar.exceptions import NotAuthorizedException
from litestar.middleware.base import DefineMiddleware


csrf_config = CSRFConfig(secret="my-secret")


@dataclass
class UserLoginPayload:
    email: str
    password: str


@dataclass
class User:
    id: int
    email: str
    password: str

    @property
    def is_authenticated(self):
        return True

users = {
    "user@example.com": User(id=1, email="user@example.com", password="user1")
}


@get(path="/", name="home")
def index(request:Request) -> Template:
    return Template(template_name="index.html")


@post("/login", name="login", include_in_schema=False)
async def console_login(
        data: Annotated[UserLoginPayload, Body(media_type=RequestEncodingType.URL_ENCODED)],
        request: Request[Any, Any, Any]
    ) -> Redirect:
    """Login a user."""
    user = users.get(data.email)
    if user:
        request.set_session({"user_id": user.id})
        return Redirect("/", status_code=302, media_type=MediaType.HTML)
    else:
        raise NotAuthorizedException


class MyAuthenticationMiddleware(AbstractAuthenticationMiddleware):
    async def authenticate_request(
        self, connection: ASGIConnection
    ) -> AuthenticationResult:
        # Not quite sure why we need auth middleware for form authentication. User
        # should be authenticated in the login controller.
        return AuthenticationResult(user=None, auth=None)

auth_mw = DefineMiddleware(MyAuthenticationMiddleware, exclude=["schema"])


async def retrieve_user_handler(
    session: dict[str, Any], connection: "ASGIConnection[Any, Any, Any, Any]"
) -> User | None:
    # return an arbitrary user for now. TODO: Is this ever called? How to implement?
    user = list(users.values())[0]
    return user


session_auth = SessionAuth[User, ServerSideSessionBackend](
    retrieve_user_handler=retrieve_user_handler,
    session_backend_config=ServerSideSessionConfig(),
    exclude=[],
)


app = Litestar(
    debug=True,
    route_handlers=[index, console_login],
    template_config=TemplateConfig(
        directory=Path("templates"),
        engine=JinjaTemplateEngine,
    ),
    csrf_config=csrf_config,
    middleware=[ServerSideSessionConfig().middleware, auth_mw],
    on_app_init=[session_auth.on_app_init],
)

templates/index.html

<html>
<head>
</head>
<body>
    {% if request.user %}
        {{ request.user.email }}
    {% else %}
    <form method="POST" action="/login">
        {{ csrf_input|safe }}
        <input aria-label="Email" autocomplete="email" class="css_class" id="email" name="email" placeholder="Email" required type="text" value="">
        <input aria-label="Password" autocomplete="password" class="css_class" id="password" name="password" placeholder="Password" required type="password" value="">
        <button type="submit" value="login">Login</button>
    </form>
    {% endif %}
</body>
</html>

[scott2b]

When I run main:app, this is what I get when I fill out the form. The username doesn't really matter because it does not get that far

INFO:     Started server process [91780]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     127.0.0.1:51986 - "GET / HTTP/1.1" 200 OK
ERROR - 2023-07-27 12:53:49,756 - litestar - config - exception raised on http connection to route /login

Traceback (most recent call last):
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/exceptions/middleware.py", line 157, in __call__
    await self.app(scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/authentication.py", line 78, in __call__
    await self.app(scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/base.py", line 129, in wrapped_call
    await original__call__(self, scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/session/base.py", line 245, in __call__
    await self.app(scope, receive, self.create_send_wrapper(connection))
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/authentication.py", line 78, in __call__
    await self.app(scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/csrf.py", line 124, in __call__
    raise PermissionDeniedException("CSRF token verification failed")
litestar.exceptions.http_exceptions.PermissionDeniedException: 403: CSRF token verification failed
Traceback (most recent call last):
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/exceptions/middleware.py", line 157, in __call__
    await self.app(scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/authentication.py", line 78, in __call__
    await self.app(scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/base.py", line 129, in wrapped_call
    await original__call__(self, scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/session/base.py", line 245, in __call__
    await self.app(scope, receive, self.create_send_wrapper(connection))
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/authentication.py", line 78, in __call__
    await self.app(scope, receive, send)
  File "/Users/scott/work/litestarmin/.venv/lib/python3.11/site-packages/litestar/middleware/csrf.py", line 124, in __call__
    raise PermissionDeniedException("CSRF token verification failed")
litestar.exceptions.http_exceptions.PermissionDeniedException: 403: CSRF token verification failed
INFO:     127.0.0.1:51989 - "POST /login HTTP/1.1" 403 Forbidden

[Goldziher]

issue opened. Pls use the issue for tracking. We'll get to it in the next few days.

[scott2b]

Thank you

[scott2b]

It turns out that this issue is happening for me specific to Chrome and specific to when I request via localhost rather than 127.0.0.1. I can only conclude that this is in fact a problem with my local configuration and not an issue in Litestar. Thank you for the attention to this.