With the release of Open-AudIT 2.2.2 we have improved the CSRF implementation.
You still receive a token with every request from Open-AudIT. You still need to submit that token with the HTML form to crate an item. At this stage HTML forms ONLY need to do this. Going forward, ALL POST, PUT, PATCH and DELETE requests will need to include the access token. This is NOT required for 2.2.2 though.
We have introduced two new configuration items.
access_token_enable - This is set to y by default and will enable the requirement to use access tokens. If set to n, the CRSF access token verification will be disabled.
access_token_count - Set to 20 by default. This means you can submit any of the last 20 access tokens for validation.
The access token is regenerated with every request.
In normal use, no difference should be seen by the user.
In certain circumstances, the CSRF protection will kick in and reject a submitted form. This should not happen often (if ever) and attempting a second time to create an item or logging off, then back on should resolve the issue.
You can see the access token in the JSON response meta -> access_token (as below).
| Code Block |
|---|
{
"meta":
{
"access_token":"42578d44ac02490137917797bd722acb4ff7d5bdf62a04ba4346553638c3",
"action":"collection",
"baseurl":"http...... |
...
OUT OF DATE as at Open-AudIT 2.2.2.
Open-AudIT 2.2.1 includes our initial implementation to mitigate CSRF.
...