Parse-dashboard: Prompt form tampered with, what is the problem?

Created on 4 Nov 2017  ·  37Comments  ·  Source: parse-community/parse-dashboard

Prompt form tampered with, what is the problem?

duplicate needs investigation troubleshooting

Most helpful comment

I ran into this issue after upgrading to 1.1.2 and I hunted down the root cause.

As per PR #774 (this line of code), the cookie secret will be set to a random value if you do not set it yourself. This is intentional and documented in the CLI.

So, if you are running in a load balanced environment (or in using NodeJS cluster) be sure to set your cookieSessionSecret:

From CLI:
--cookieSessionSecret "your-secret-here"

From NodeJS (options is the 2nd argument of constructor):

new ParseDashboard({
// settings here
}, {
  cookieSessionSecret: 'your-secret-here'
});

All 37 comments

v1.1.2 version of the problem, with the https prompt tampered with form, with http and added to allow set, suggesting that must be https

Same issue here, I'm using Heroku as server

Hi, I used what you said, still does not work in v1.1.2 version.


     公司网址:http://www.mengsens.com/


                  广东梦森信息科技有限公司 -              廖晓清
         公司地址:广州市海珠区新港西路135号中山大学国家大学科技园B座1308室

     手机号码:139 2609 5308
     QQ号码 :187 2117 737
     主营业务:快递鸽 - 快递物流综合解决方案



 祝:生活愉快!一切顺利!

------------------ Original ------------------
From: "Sam Ilic"notifications@github.com;
Date: Wed, Nov 8, 2017 07:11 PM
To: "parse-community/parse-dashboard"parse-dashboard@noreply.github.com;
Cc: "lxq20081128"lxq@mengsens.com; "Author"author@noreply.github.com;
Subject: Re: [parse-community/parse-dashboard] Prompt form tampered with, whatis the problem? (#806)

In my case I fixed it by changing from
let dashboard = new ParseDashboard({ ... }, true);
to
let dashboard = new ParseDashboard({ ... }, { allowInsecureHTTP: true });

You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

@lxq20081128 Sorry that was my mistake, it actually doesn't work even if you do what I suggested, which is why I deleted my comment :)

Hopefully we can get a response from one of the contributors as this is currently preventing me from upgrading.

@lxq20081128 I'm assuming you're referring to #810? There were some pretty good details provided in that issue, I'm following up there currently. Let me know if this is something else though.

Hi @montymxb, I think this issue is a different one, here is my config:

// configure Parse dashboard
let dashboard = new ParseDashboard({
  'apps': [{
    'serverURL': env.parseServerUrl,
    'appId': env.appId,
    'masterKey': env.masterKey,
    'appName': 'APP NAME'
  }],
  'users': [{
    'user': 'whatever',
    'pass': env.dashboardAdminPassword
  }],
  'useEncryptedPasswords': false,
  'trustProxy': true
}, {
  allowInsecureHTTP: true // HTTPS terminated by NGINX
});

Here is what displays after I successfully log in:
image

On localhost this works fine, however in Development which is hosted in the cloud where the dashboard is behind NGINX that terminates HTTPS, I get the above message.

@stage88 @lxq20081128 This looks like this is CSRF protection coming into play, specifically triggered when an error code of EBADCSRFTOKEN is reported. I'll look into this further when I have a moment. With that being said this is probably normal behavior, just a guess but something including or between the NGINX config for your domain and the dashboard itself is not quite right.

I started to have the same issue with aws hosted server (v1.1.2) since yesterday. It was working fine before. I don't remember making any changes to my configuration or app version.

same issue v1.1.2,parse-dashboard and parse-server in same server

Has anyone seen this via localhost by any chance? Or is this exclusively on remote services?

Same issue v. 1.1.2 on Google App Engine. Though I can finally log in after few attempts.

I'm still having problems with this form tampered with. Someone found any workaround on Heroku?

We are also experiencing the same issue on v.1.1.2

@ali-dev Noted regarding 1.1.2. Until we can replicate this we won't be able to do to much. It does _seem_ like a bug, but it could be a server config issue still. This is considering that all reports are coming from 3rd parties hosting a dashboard.

Once we can reproduce this we can start moving onto a solution. In the meantime if anyone can provide further details as to conditions that triggered this it would be much appreciated. As well as any suspected changes that may have triggered this to pop up.

Hi, @montymxb! It seems to be an issue with the CSRF protection token that isn't valid (even with allowInsecureHTTP set to true). You can replicate this firing a Heroku free server with dashboard. This already happened before: https://github.com/parse-community/parse-dashboard/issues/664
Thank you!

@montymxb, couldn't this be a problem related with csurf?

@tcha-tcho as mentioned above we are aware this is a CSRF token issue. As for the details regarding heroku & the duplicate issue thanks for bringing that to my attention. I'll see if we can replicate this on heroku.

Keeping this open for now as this (and the older issue #664) both contain details that may be helpful in resolving this.

The issue has been resolved by downgrading parse-dashboard installation to version 1.1.0
npm install [email protected]
this is a bug in latest version 1.1.2

I'll have to verify that when i look into testing against heroku's setup.

On Dec 11, 2017 9:48 AM, "Mousa Najafi" notifications@github.com wrote:

The issue has been resolved by downgrade parse-dashboard installation to
version 1.1.0
npm install [email protected]
this is a bug in latest version 1.1.2


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/parse-community/parse-dashboard/issues/806#issuecomment-350801981,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AE1d4JEmMNHihd0i69ZwLZSEfnSkkriOks5s_Wr8gaJpZM4QR6Ty
.

I ran into this issue after upgrading to 1.1.2 and I hunted down the root cause.

As per PR #774 (this line of code), the cookie secret will be set to a random value if you do not set it yourself. This is intentional and documented in the CLI.

So, if you are running in a load balanced environment (or in using NodeJS cluster) be sure to set your cookieSessionSecret:

From CLI:
--cookieSessionSecret "your-secret-here"

From NodeJS (options is the 2nd argument of constructor):

new ParseDashboard({
// settings here
}, {
  cookieSessionSecret: 'your-secret-here'
});

Anyone can confirm setting the above ^ helps with the issue here?

Hi @JeremyPlease and @montymxb
Thanks a lot for your great help , I've updated from version 1.1.0 to latest version in ubuntu vps
by setting the cookieSessionSecret in ParseDashboard 2nd argument of constructor the problem has solved, and issue can be closed
I love parse server and dashboard and gets happier when I see an active contribution on it
many thanks

@JeremyPlease You found it. Thanks.

This can be closed now.

Glad to see it's resolved 👍

@montymxb @JeremyPlease This fix worked for me using node.js Throng clustering on Heroku.
What is the best practice for the cookieSessionSecret? Generate a new key? Use Master Key? Use whatever ex. 'magic'?

Thanks

There is no need to use clusterting in the dashboard as it’s just a client app. The server side should only be hit with the authentication.

The cookieSessionSecret can be anything, but long chain of characters are preferred. See this thread https://stackoverflow.com/questions/5343131/what-is-the-sessions-secret-option

Hi All,

Still, I am unable to fix this issue.

Please let me know what I am missing in this config

parser-dashabord - @1.2.0
parse-server - @3.1.2

Parse-Dashboard
var express = require('express');
var ParseDashboard = require('parse-dashboard');

var options = {
allowInsecureHTTP: true,
cookieSessionSecret: '*'
};

var dashboard = new ParseDashboard({
"apps": [{
"serverURL": "http://parseserver:1337/parse",
"appId": "my-mobile-apps",
"masterKey": "*,
"appName": "First App"
}],
"users": [{
"user": "user1",
"pass": "pass",
"apps": [{
"appId": "my-mobile-apps"
}]
}],
"trustProxy": 1
}, options);

var app = express();

// make the Parse Dashboard available at /dashboard
app.use('/dashboard', dashboard);

var httpServer = require('http').createServer(app);
httpServer.listen(4040,function(){
console.log("listening")
});

Parse Server
var express = require('express');
var path = require('path');
var ParseServer = require('parse-server').ParseServer;
var app = express();

var api = new ParseServer({
databaseURI: 'mongodb://mc-mongo/my-mobile-apps', // Connection string for your MongoDB database
cloud: '../../app/src/cloud/main.js', // Absolute path to your Cloud Code
appId: 'my-mobile-apps',
masterKey: '*', // Keep this key secret!
serverURL: 'http://localhost:1337/parse', // Don't forget to change to https if needed
liveQuery: {
classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
}
});

// Serve the Parse API on the /parse URL prefix
app.use('/parse', api);

app.use('/public', express.static(path.join(__dirname, '/public')));

app.listen(1337, function () {
console.log('parse-server-example running on port 1337.');
});

@Gowtham029 From your code I can see:

var options = {
  allowInsecureHTTP: true,
  cookieSessionSecret: '***'
};
var dashboard = new ParseDashboard({
  // ...
}, options);

That is all that is needed to fix the "form tampered with" error that is reported in this issue.

If you are still getting the same error, there must be something else going on. Check to make sure your new code is actually being used and make sure you don't have any browser extensions that could change hidden form values.

@JeremyPlease Same issue. After adding the loadBalancer the server is working but the dashboard is giving same error "form tampered with". Any idea what i am missing?

Thank you.

Hi All,

Still, I am unable to fix this issue.

Please let me know what I am missing in this config

parser-dashabord - @1.2.0
parse-server - @3.1.2

Parse-Dashboard
var express = require('express');
var ParseDashboard = require('parse-dashboard');

var options = {
allowInsecureHTTP: true,
cookieSessionSecret: '*'
};

var dashboard = new ParseDashboard({
"apps": [{
"serverURL": "http://parseserver:1337/parse",
"appId": "my-mobile-apps",
"masterKey": "*,
"appName": "First App"
}],
"users": [{
"user": "user1",
"pass": "pass",
"apps": [{
"appId": "my-mobile-apps"
}]
}],
"trustProxy": 1
}, options);

var app = express();

// make the Parse Dashboard available at /dashboard
app.use('/dashboard', dashboard);

var httpServer = require('http').createServer(app);
httpServer.listen(4040,function(){
console.log("listening")
});

Parse Server
var express = require('express');
var path = require('path');
var ParseServer = require('parse-server').ParseServer;
var app = express();

var api = new ParseServer({
databaseURI: 'mongodb://mc-mongo/my-mobile-apps', // Connection string for your MongoDB database
cloud: '../../app/src/cloud/main.js', // Absolute path to your Cloud Code
appId: 'my-mobile-apps',
masterKey: '*', // Keep this key secret!
serverURL: 'http://localhost:1337/parse', // Don't forget to change to https if needed
liveQuery: {
classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
}
});

// Serve the Parse API on the /parse URL prefix
app.use('/parse', api);

app.use('/public', express.static(path.join(__dirname, '/public')));

app.listen(1337, function () {
console.log('parse-server-example running on port 1337.');
});

@Gowtham029 I am getting the same error, did you find the solution?

Thank you.

The trust proxy flag does into the options object, not in the configuration

Sent with GitHawk

The trust proxy flag does into the options object, not in the configuration

Sent with GitHawk

@flovilmart thank you for your quick response.

Actually the problem solved by downgrading the parse dashboard version and then npm install.!

If you downgraded, this is not solved, you are potentially exposed to security issues. You should always run the latest available version.

Sent with GitHawk

Thats right, will work on the latest version.
@flovilmart thank you!

So only change i need to do is add cookieSessionSecret value in options ?

Should session secret value be a fixed value
var options = {
allowInsecureHTTP: true,
cookieSessionSecret: 'fixedvalue'
};

Was this page helpful?
0 / 5 - 0 ratings