CSRF Verification + Authentication on Scratch #380
Replies: 9 comments
-
|
there is an api endpoint for creating csrf tokens, but it isn't needed
alas ***@***.***> schrieb am Do., 6. Feb. 2025, 17:54:
… hey, I have some questions about scratch's CSRF token system and
authentication system in general. I have a basic understanding of what
these tokens are for, but I don't specifically understand what scratch did
here. In some api requests, there seems to be 2 csrf tokens, once in the
cookies and once as a x-csrftoken header. that kinda makes sense since the
server can check if both are equal and let the request pass through or not
based on that. but I also remember seeing requests made to /csrf in the
past, I just can't see them anymore. did they make changes to the api? I'm
sorry for all the questions, but right now im not really sure about what
x-token, sessionid and the csrf tokens are in scratch. thanks for your
patience,
~alas
—
Reply to this email directly, view it on GitHub
<#342>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ATCKMZVFI5AI7OL4F7D6K232OOHUPAVCNFSM6AAAAABWUASOOKVHI2DSMVQWIX3LMV43ASLTON2WKOZSHAZTMMBYG44TAMA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
why does the scratch app make requests to it tho if it's not needed? |
Beta Was this translation helpful? Give feedback.
-
|
i don't know, maybe they changed it at some point
alas ***@***.***> schrieb am Do., 6. Feb. 2025, 20:01:
… why does the scratch app make requests to it tho if it's not needed?
—
Reply to this email directly, view it on GitHub
<#342 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ATCKMZSEPBCXT64ABOP7WP32OOWRJAVCNFSM6AAAAABWUASOOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBQG42DQNJVGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Maybe some browsers don't support setting cookies using js |
Beta Was this translation helpful? Give feedback.
-
|
It has something to do with making sure that requests are coming from scratch.mit.edu, and it lies not in the content of the cookie, but the fields. This (and some other CSRF things across Scratch) ensures that you can't, for example, post on the forums by submitting a form on another website. |
Beta Was this translation helpful? Give feedback.
-
Interesting. Could you please provide more details for how it lies in the fields? From what I've seen, this is what i figured out but I'm not sure: Is that correct? Is there more to it? |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, we knew that but why doesn't the website just generate the cookie using js was the question |
Beta Was this translation helpful? Give feedback.
-
yes, thats weird. there must be some server side validation of the value itself too... |
Beta Was this translation helpful? Give feedback.
-
|
I think it's because the server needs to set a samesite rule that's strict so that you have to start the request and end the request on Scratch.mit.edu. |
Beta Was this translation helpful? Give feedback.
-
hey, I have some questions about scratch's CSRF token system and authentication system in general. I have a basic understanding of what these tokens are for, but I don't specifically understand what scratch did here. In some api requests, there seems to be 2 csrf tokens, once in the cookies and once as a x-csrftoken header. that kinda makes sense since the server can check if both are equal and let the request pass through or not based on that. but I also remember seeing requests made to /csrf in the past, I just can't see them anymore. did they make changes to the api? I'm sorry for all the questions, but right now im not really sure about what x-token, sessionid and the csrf tokens are in scratch. thanks for your patience,
~alas
Beta Was this translation helpful? Give feedback.
All reactions