[Bug] CSRF token verification failed

[phramusca]

RomM version
3.7.2

Describe the bug
curl http://192.168.1.12/api/collections -H 'Authorization: Basic YWRtaW46YWRtaW4='

returns

[{"id":1,"name":"collection 1","description":"","path_cover_l":"","path_cover_s":"","has_cover":false,"url_cover":"","roms":[],"rom_count":0,"user_id":1,"user__username":"admin","is_public":false,"created_at":"2025-01-19T17:11:49+00:00","updated_at":"2025-01-19T17:11:49+00:00"},{"id":2,"name":"collection 2","description":"","path_cover_l":"","path_cover_s":"","has_cover":false,"url_cover":"","roms":[],"rom_count":0,"user_id":1,"user__username":"admin","is_public":false,"created_at":"2025-01-19T17:11:59+00:00","updated_at":"2025-01-19T17:11:59+00:00"}]

BUT with POST/PUT commands, I get CSRF token verification failed

To Reproduce

• Get a token:

curl -X 'POST' \
  'http://rpi5.local/api/token' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=password&scope=collections.write&username=admin&password=admin'

• Post a collection:

curl -X POST http://rpi5.local/api/collections -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InJvbW06b2F1dGgiLCJzY29wZXMiOiJjb2xsZWN0aW9ucy53cml0ZSIsInR5cGUiOiJhY2Nlc3MiLCJleHAiOjE3MzczMDkwOTF9.btzZaXN3r0n8y-jUSEw6NtUq5EB7JkymgAlpCCTn5N8' -H 'Content-Type: multipart/form-data' -F 'name=Yeah it rocks'

You get CSRF token verification failed :(

Expected behavior
HTTP 200 with eventually a json response body

Additional information

Also, when I try to authenticate with OAuth2PasswordBearer (OAuth2, password) in http://rpi5.local/api/docs, I get auth errorError: Not Allowed (Note that HTTPBasic (http, Basic) works fine)

I already had reported Bug#1218, which got closed, so I thought it has been solved.

Maybe I am just not using authentication properly ?

[gantoine]

Hot damn I think you're one of the first people outside the team to try and use the API! It's possible we broke something with OIDC work, or it's been broken for a while (we don't make any POST requests to the API in any of our plugins). Will have a look soon.

[adamantike]

I think we should move to the asgi-csrf library. It correctly skips CSRF check when an Authorization header is present: https://github.com/simonw/asgi-csrf/blob/e23af3215539317707c60266e1b5122a77f026ca/asgi_csrf.py#L165-L171

[DotG467]

Hello, a few days ago I encountered a similar issue, but with the “saves” endpoint (using cURL in C++).

The GET endpoints such as “Heartbeat,” “Stats,” “Roms,” and “Platforms” worked without any problems. The POST requests for “Login” and “Token” also worked. However, when making a POST request to upload a save to my RomM instance, I also received a CSRF error.

Several attempts to work around the error failed. I even manually extracted the “romm_csrftoken” and “romm_session” (id) cookies from the “Login” response and included them in the POST request for “saves,” but this did not resolve the error.

[gantoine]

This'll be fixed in the next release!

[phramusca]

I confirm it works fine now :) Tanks !

curl -X POST http://192.168.1.12/api/collections -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: multipart/form-data' -F 'name=Yeah it rocks'
{"id":3,"name":"Yeah it rocks","description":"","path_cover_l":"","path_cover_s":"","has_cover":false,"url_cover":"","roms":[],"rom_count":0,"user_id":1,"user__username":"admin","is_public":false,"created_at":"2025-01-31T19:02:35+00:00","updated_at":"2025-01-31T19:02:35+00:00"}

And using a token too:

curl -X 'POST' \
  'http://rpi5.local/api/token' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=password&scope=collections.write&username=admin&password=admin'
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InJvbW06b2F1dGgiLCJzY29wZXMiOiJjb2xsZWN0aW9ucy53cml0ZSIsInR5cGUiOiJhY2Nlc3MiLCJleHAiOjE3MzgzNTI0MjF9.h_B61QB0seik7CMELoDHLAPIjRiWDCePvHrP6CKZ9gM","refresh_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InJvbW06b2F1dGgiLCJzY29wZXMiOiJjb2xsZWN0aW9ucy53cml0ZSIsInR5cGUiOiJyZWZyZXNoIiwiZXhwIjoxNzM4OTU1NDIxfQ.GZqL2EFf7MfhiKur7UOO5Me_VOpUs2KdxTM0Pi1EHaI","token_type":"bearer","expires":1800}%                                                                                                                                                                                                                                                                                                                                                                         

curl -X POST http://rpi5.local/api/collections -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InJvbW06b2F1dGgiLCJzY29wZXMiOiJjb2xsZWN0aW9ucy53cml0ZSIsInR5cGUiOiJhY2Nlc3MiLCJleHAiOjE3MzgzNTI0MjF9.h_B61QB0seik7CMELoDHLAPIjRiWDCePvHrP6CKZ9gM' -H 'Content-Type: multipart/form-data' -F 'name=Using Token'
{"id":4,"name":"Using Token","description":"","path_cover_l":"","path_cover_s":"","has_cover":false,"url_cover":"","roms":[],"rom_count":0,"user_id":1,"user__username":"admin","is_public":false,"created_at":"2025-01-31T19:11:08+00:00","updated_at":"2025-01-31T19:11:08+00:00"}