fix: disabled CSRF check for github codespaces

[niladrix719]

Fixes #4334

Describe the changes you have made in this PR -

disabled CSRF check for github codespaces

Screenshots of the changes (If any) -

Screen.Recording.2023-12-02.at.11.59.22.PM.mov

[tachyons]

We need to add codespaces URL here

CircuitVerse/config/environments/development.rb

Line 84 in ee6fdf2

config.hosts << /.*\.gitpod\.io\Z/

. Removing CSRF check all together makes it harder to test on code spaces.

[niladrix719]

but in dev environment we are already whitelisting everything -

CircuitVerse/config/environments/development.rb

Line 85 in ee6fdf2

config.hosts << /.*\Z/ # Whitelist everything in Dev

i have tried using config.hosts << /.*\.app\.github\.dev\Z/ which seems not to work

upon research i found out this issue
github/codespaces-rails#37

will investigate more if there is a solution without disabling it

[tanmoysrt]

Hi @niladrix719
I checked the issue. It seems that Github Codespaces has a reverse proxy setup which pass the requests to the containers.

Now, while doing the reverse proxy they don't rewrite the Host Header's.
As a result - Request URL becomes localhost:3000/*
And Http Host Header also changes to localhost, But the X-Forwarded-Host header contains the actual URL (*.github.dev).

So, as a result it fails CSRF verification (request base !== X-Forwarded-Host).

In older Rails, It gives preference to X-Forwarded-Host header instead of Host Header for decide actual Host
In latest patches, they have given preference to Host header to resolve cache poisoning attack. Ref - rails/rails#29893 rails/rails#22965

Usually, while using nginx/haproxy/traefik we can rewrite this header but in this Codespaces we can't have that flexibility.

So, we may disable CSRF for only Github Codespaces

We can add this configuration to disable the CSRF check in development

config.action_controller.forgery_protection_origin_check = false

[tanmoysrt]

If you want to just check whether it's a codespace, you can use the DEV_CONTAINER environment variable
Ref - https://github.com/CircuitVerse/CircuitVerse/blob/master/.devcontainer/docker-compose.yml#L21

[tanmoysrt]

Hi @niladrix719 I checked the issue. It seems that Github Codespaces has a reverse proxy setup which pass the requests to the containers.

Now, while doing the reverse proxy they don't rewrite the Host Header's. As a result - Request URL becomes localhost:3000/* But Http Host Header also changes to localhost, but the X-Forwarded-Host header contains the actual URL (*.github.dev).

So, as a result it fails CSRF verification (request base !== X-Forwarded-Host).

In older Rails, It gives preference to X-Forwarded-Host header instead of Host Header for decide actual Host In latest patches, they have given preference to Host header to resolve cache poisoning attack. Ref - rails/rails#29893 rails/rails#22965

Usually, while using nginx/haproxy/traefik we can rewrite this header but in this Codespaces we can't have that flexibility.

So, we may disable CSRF for only Github Codespaces

We can add this configuration to disable the CSRF check in development

config.action_controller.forgery_protection_origin_check = false

cc @tachyons

[niladrix719]

@tanmoysrt thanks that was great help, just one question can we use CODESPACES environment variable instead of DEV_CONTAINER to identify codespaces

[tanmoysrt]

@tanmoysrt thanks that was great help, just one question can we use CODESPACES environment variable instead of DEV_CONTAINER to identify codespaces

Yes you can
If you got time, just verify whether Dev container actually working In local environment.
In VS Code, you can run the same dev container. In codespaces that's actually running on the cloud.

[tachyons]

Fantastic 🥳

[niladrix719]

Screen.Recording.2023-12-05.at.8.20.13.PM.mov

i think its working fine

[codeclimate]

Code Climate has analyzed commit e1d327b and detected 0 issues on this pull request.

View more on Code Climate.