Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix login broken by insufficient tokenId checking #175

Merged
merged 2 commits into from
Jun 7, 2024

Conversation

fyrbach
Copy link
Member

@fyrbach fyrbach commented Jun 7, 2024

This PR fixes login in XUI.

The login was not working because of the failing POST request to the /json/sessions?_action=getSessionInfo endpoint that was not able to verify token ownership when it was not in the URL.

These changes add ability to retrieve token ID from HTTP header or cookie for authorization verification of CREST action.

fyrbach added 2 commits June 7, 2024 00:47
The token ID can be retrieved from HTTP header or cookie for
authorization verification of CREST action.

This fixes an issue when requesting of the session info without token ID
in URL was forbidden - requests ended with HTTP status 403.
@fyrbach fyrbach added the bug label Jun 7, 2024
@fyrbach fyrbach requested a review from pavelhoral June 7, 2024 07:32
Copy link
Member

@pavelhoral pavelhoral left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pavelhoral pavelhoral merged commit d233674 into WrenSecurity:main Jun 7, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants