403 status code for failed CSRF check (teamcity 2020.2) #37
Description
on teamcity 2021.2 when i try use on of the functions for a post request i get the following CSRF errors:
dohq_teamcity.rest.ApiException: (403)
Reason:
HTTP response headers: HTTPHeaderDict({'TeamCity-Node-Id': 'MAIN_SERVER', 'X-Content-Type-Options': 'nosniff', 'Content-Type': 'text/plain;charset=UTF-8', 'Content-Length': '347', 'Date': 'Fri, 02 Jul 2021 18:53:05 GMT'})
HTTP response body: 403 Forbidden: Responding with 403 status code due to failed CSRF check: authenticated POST request is made, but neither tc-csrf-token parameter nor X-TC-CSRF-Token header are provided.. For a temporary workaround, you can set internal property teamcity.csrf.paranoid=false and provide valid Origin=http://localhost:8111 header with your request
the solution to this is apparently here: https://www.jetbrains.com/help/teamcity/csrf-protection.html#Implications+for+CORS+clients
should the library be updated to take this into account as well?
==========================
the website says to:
- token: recommend using token-based authentication and disabling cookie support (if you dont want to use use CSRF token)
- http authentication: apply for CSRF token otherwise
currently the method: rest.py::RESTClientObject::request(...) function always sets cookies if they are received.
if not 200 <= r.status <= 299:
raise ApiException(http_resp=r)
if self.cookie is None:
self.cookie = r.getheader('Set-Cookie')
# pass
print("\n=============out cookie:", r.getheader('Set-Cookie'), "=============\n")
return r
i think you should add an option to not store cookies (and do the 2 methods they suggested above)?