Sidekiq: Getting "attack prevented by Rack::Protection::AuthenticityToken" when using basic Auth authentication
Ruby version: 2.3.4
Sidekiq / Pro / Enterprise version(s): 5.1.3
I decided to just go with the Basic Auth/deploy to heroku version and I'm still getting Forbidden constantly.
attack prevented by Rack::Protection::AuthenticityToken
# this code goes in your config.ru
require 'sidekiq'
Sidekiq.configure_client do |config|
config.redis = { :size => 1 }
end
require 'sidekiq/web'
map '/sidekiq' do
use Rack::Auth::Basic, "Protected Area" do |username, password|
# Protect against timing attacks:
# - See https://codahale.com/a-lesson-in-timing-attacks/
# - See https://thisdata.com/blog/timing-attacks-against-string-comparison/
# - Use & (do not use &&) so that it doesn't short circuit.
# - Use digests to stop length information leaking
Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(username), ::Digest::SHA256.hexdigest(ENV["SIDEKIQ_USERNAME"])) &
Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(password), ::Digest::SHA256.hexdigest(ENV["SIDEKIQ_PASSWORD"]))
end
run Sidekiq::Web
end
How can I prevent this? It's super frustrating to have to clear my cookies a few dozens times a day to work around this.
Could this all be specific to Heroku? we've never had this problem on AWS but as far as I can tell that are setup very similarly where it counts.
bobber205
All 4 comments
It's near impossible for me to debug Rack problems. Search for "Forbidden" and start trying different solutions, let us know what works for you.
mperham
on 24 Apr 2018
I've tried using
Sidekiq::Web.set :sessions, false
found here: https://github.com/mperham/sidekiq/wiki/Monitoring as well.
But I just error messages related to "sessions must be configured". I don't quite get that message if the option for turning them off exists?
I'm gonna give https://github.com/mperham/sidekiq/issues/2560 a try when time becomes available.
bobber205
on 24 Apr 2018
I really feel bad about the Rack session stuff but everyone is slightly different and it's literally impossible for humans to debug Rack internals. Frustrating for me too.
mperham
on 24 Apr 2018
Ended up going with this about a week ago and haven't seen this error case since then.
My sidekiq-web.ru file:
Encoding.default_external = Encoding::UTF_8
require 'sidekiq'
require 'sidekiq/cron'
redis_config = { :size => 1, :db => 0, :url => ENV['REDIS_URL'] }
Sidekiq.configure_client do |config|
config.redis = redis_config
end
require 'sidekiq/web'
require 'sidekiq/cron/web'
Sidekiq::Web.set :session_secret, ENV['SESSION_SECRET']
map '/' do
use Rack::Auth::Basic, "Protected Area" do |username, password|
# Protect against timing attacks:
# - See https://codahale.com/a-lesson-in-timing-attacks/
# - See https://thisdata.com/blog/timing-attacks-against-string-comparison/
# - Use & (do not use &&) so that it doesn't short circuit.
# - Use digests to stop length information leaking
Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(username), ::Digest::SHA256.hexdigest('admin')) &
Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(password), ::Digest::SHA256.hexdigest(ENV["SIDEKIQ_WEB_PASSWORD"]))
end
run Sidekiq::Web
end
Sidekiq::Web.set :session_secret, ENV['SESSION_SECRET'] was the key part but I've included it all just in case it helps someone.
bobber205
on 15 May 2018
Related issues
andrewhavens
路
4Comments
smanolloff
路
3Comments
michaeldiscala
路
4Comments
jlecour
路
4Comments
homanchou
路
3Comments
Most helpful comment
Ended up going with this about a week ago and haven't seen this error case since then.
My sidekiq-web.ru file:
Sidekiq::Web.set :session_secret, ENV['SESSION_SECRET']was the key part but I've included it all just in case it helps someone.