(PXP-7565): User registration, plus CSRF changes #906
Conversation
|
The style in this PR agrees with This formatting comment was generated automatically by a script in uc-cdis/wool. |
fence/config-default.yaml
Outdated
| @@ -802,6 +805,11 @@ SYNAPSE_URI: 'https://repo-prod.prod.sagebase.org/auth/v1' | |||
| SYNAPSE_JWKS_URI: | |||
| SYNAPSE_DISCOVERY_URL: | |||
| SYNAPSE_AUTHZ_TTL: 86400 | |||
| # MIDRC user registration feature: Ask users to register (provide name/org/email) on login. | |||
There was a problem hiding this comment.
I'd rather not mention specific projects, but just call this an optional feature
There was a problem hiding this comment.
bumping this, we should remove the reference to MIDRS. Call this an optional feature
| {% block content %} | ||
| <form method="post"> | ||
|
|
||
| <h1 class="introduction">Register in order to get access to download data</h1> |
There was a problem hiding this comment.
feels like this text should be configurable, a template var and some cfg thrown in? What happens if someone wants to use a different HTML form though, with different fields? Maybe there could be different "registration forms" and each one is tied to a template in the templates folder?
I'm just trying to think how we can make this more generic
There was a problem hiding this comment.
Very true, but I was thinking that I should keep it simple until the need arises for very configurable registration forms (if it ever does), rather than adding complexity straight away that may never become useful. Also, the different-registration-forms thing would need not only different templates but also different form classes and maybe different field validators..?
In any case I can definitely still push for this if you want 👍 lmk!
bb36f6b to
46fce4d
Compare
Pull Request Test Coverage Report for Build 11604
💛 - Coveralls |
bc8e995 to
69da6b4
Compare
* Except recent pentest PR sets cookie HttpOnly to True * So XHR won't work here; also means existing consent form code is broken
* No longer cookie-based: WTForms manages a session CSRF token to check against * Retained most of the old CSRF logic but accepts hidden HTML form field as well as header * Added benefit of signed CSRF tokens * NB: turns out Fence-issued csrftoken cookies were being overwritten by cloud-auto anyway
d5b50e0 to
a29d1eb
Compare
82fbfaa to
fc072a0
Compare
Jira Ticket: PXP-7565
Two pieces to this PR: (1) Add user registration endpoints, and (2) update CSRF handling.
Registration means that a user provides their name, organization, and email, in order to gain some predefined permissions (i.e. to be automatically added to a preconfigured Arborist group). For more information see the docstrings in the diff. This PR adds the registration form itself along with an admin endpoint to list registered users and their information. Register Users is an optional feature. The user information provided during registration IS NOT VALIDATED IN ANY WAY currently. The registration page is not customizable at the moment.
The registration form presents some difficulties with existing CSRF protection, so this PR also includes CSRF changes alongside a sister cloud-automation PR uc-cdis/cloud-automation#1580. More info below.
Instructions for testing/using:
NOT implemented in this PR:
Background on CSRF:
Prior to this PR, CSRF protection was being implemented at two levels--once in Fence, and the other in the revproxy. Both Fence and the revproxy used the cookie-to-header method for CSRF prevention. There were multiple problems with this.
First problem: HTML forms. The new registration form, like other HTML forms, is not compatible with the cookie-to-header method. (The usual way to implement CSRF protection with HTML forms is using a hidden form field.) Fence's other, existing HTML form, the OAuth consent form, up until recently was using AJAX instead of a plain form submit to get around this. This additionally necessitated some interesting gymnastics for redirects to work. Then, recently, Fence began to only issue HttpOnly cookies in response to pen testing, and so the AJAX method technically broke--except that the revproxy was rewriting the csrf cookies anyway, see below, and so things happened to keep working.
Second problem: Fence cookie was being overwritten. Fence has been operating under the assumption that it manages its own CSRF token. But actually the revproxy rewrites the token and performs its own CSRF checking. Apart from being confusing (see above), this also meant that Fence effectively couldn't implement its own CSRF protection (for example, requests with the correct token in a form field would still fail the revproxy CSRF check), while at the same time the revproxy CSRF fails to accommodate verification via HTML hidden form fields.
A full reconsideration of CSRF protection in Gen3 (involving revproxy, Fence, and all the other services) was outside the scope of this ticket. The present solution makes partial improvements while maintaining existing behavior around CSRF checks. (NB: This existing behavior is also the reason why this PR does not fully discard all the current CSRF code in favor of built-in WTForms protection. Further work in that direction might want to start here.) The changes consist of the following:
See uc-cdis/cloud-automation#1580 for the required revproxy change.
New Features
Add registration endpoints (registration form endpoint and admin-only list endpoint)
Breaking Changes
Bug Fixes
Improvements
Improvements around CSRF handling
Dependency updates
New dependency Flask-WTF
Deployment changes
Requires these cloud-automation updates to revproxy: uc-cdis/cloud-automation#1580