Details
-
Bug
-
Resolution: Fixed
-
High
-
1.4.2, 1.5.1, 1.3.3
-
None
Description
There is an issue with logging in to Platform UI if the session is started before the login screen is loaded.
User cannot login and the status returned from /user/sessions POST request is "Missing or invalid CSRF token".
The session is started in an event subscriber that subscribes to KernelEvents::REQUEST, so it happens before the platform UI shell action is executed.
All it takes to trigger the behaviour is to start the session by using SessionInterface::get() in the subscriber.
Steps to reproduce.
- Add a request subscriber in a bundle (you can use the one attached to the issue and update the namespace)
- Enable it in services.yml (also update namespace if you used to example).
services: app.exception_subscriber: class: EzSystems\SupportBundle\EventSubscriber\RequestSubscriber tags: - { name: kernel.event_subscriber }
- Try to login on the platform UI
- An error will be displayed "Invalid username or password"
Stacktrace
"ErrorMessage": { "_media-type": "application\/vnd.ez.api.ErrorMessage+json", "errorCode": 401, "errorMessage": "Unauthorized", "errorDescription": "User does not have access to '' 'Missing or invalid CSRF token'", "trace": " #0 [internal function]: eZ\\Publish\\Core\\REST\\Server\\Controller\\User->createSession(Object(Symfony\\Component\\HttpFoundation\\Request)) #1 \/home\/yan\/prog\/ezplatform\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/HttpKernel.php(139): call_user_func_array(Array, Array) #2 \/home\/yan\/prog\/ezplatform\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/HttpKernel.php(62): Symfony\\Component\\HttpKernel\\HttpKernel->handleRaw(Object(Symfony\\Component\\HttpFoundation\\Request), 1) #3 \/home\/yan\/prog\/ezplatform\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/DependencyInjection\/ContainerAwareHttpKernel.php(69): Symfony\\Component\\HttpKernel\\HttpKernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request), 1, true) #4 \/home\/yan\/prog\/ezplatform\/vendor\/symfony\/symfony\/src\/Symfony\/Component\/HttpKernel\/Kernel.php(184): Symfony\\Component\\HttpKernel\\DependencyInjection\\ContainerAwareHttpKernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request), 1, true) #5 \/home\/yan\/prog\/ezplatform\/web\/index.php(66): Symfony\\Component\\HttpKernel\\Kernel->handle(Object(Symfony\\Component\\HttpFoundation\\Request)) #6 {main}", "file": "\/home\/yan\/prog\/ezplatform\/vendor\/ezsystems\/ezpublish-kernel\/eZ\/Publish\/Core\/REST\/Server\/Controller\/User.php", "line": 1000 }
Attachments
Issue Links
- relates to
-
EZP-21265 As a developer, I want to a have SessionAuthAgent that is able to work on an existing session
- Closed
-
EZP-25482 Exception when CSRF token protection is disabled
- Backlog
-
EZP-25970 Admin login fails with missing CSRF token
- Closed
-
EZP-25344 Better error reporting when login fails
- Closed
- links to