Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PPS-588 add guppy csrf #2430

Merged
merged 4 commits into from
Jan 10, 2024
Merged

PPS-588 add guppy csrf #2430

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
07a044b
add guppy csrf
mfshao Dec 15, 2023
8a85686
update msg
mfshao Dec 18, 2023
bcfd969
Merge branch 'master' into fix/guppy-csrf
mfshao Dec 18, 2023
381e69a
Merge branch 'master' into fix/guppy-csrf
EliseCastle23 Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions kube/services/revproxy/gen3.nginx.conf/guppy-service.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
location /guppy/ {
if ($csrf_check !~ ^ok-\S.+$) {
Copy link
Contributor

@paulineribeyre paulineribeyre Dec 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't think we can't merge this 🤔 like you mentioned in the PR description, all the data commons that don't have the latest data-portal and guppy will fail... we need to somehow make this conditional based on the deployed version of portal and guppy, or leave it out for now and merge it in a few months once everyone has deployed the new portal and guppy.

But iirc we need this for a security ticket? if there's a deadline we might have to make everyone upgrade portal and guppy. Not great right before we all go on break 😬 can it be pushed to Jan, or even Feb when the change is included in 2024.02?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that is true, the process we have formulized is not to merge this right away. The Guppy and Portal changes will be merged, and then the Portal changes will be cherry-picked into the 2023.12 release (no need to update Guppy since the Guppy changes are purely frontend). And Elise will continue her work on updating envs to ES7, which will bring all these envs to Portal 2023.12. After that we then we will merge this cloud-auto PR and re-roll Portal in those envs

return 403 "failed csrf check, make sure data-portal version >= 2023.12 or >= 5.19.0";
}

proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
Expand Down
Loading