Remote Auth fails in CSRF check #5945

New Issue

Closed

opened 2025-12-29 19:34:34 +01:00 by adam · 8 comments

adam commented 2025-12-29 19:34:34 +01:00

Owner

Copy Link

Originally created by @vongrad on GitHub (Jan 14, 2022).

NetBox version

3.1.5

Python version

3.9

Steps to Reproduce

1.) Enable the Remote Authentication:
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_X_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True

2.) Send a request (create rack) to NetBox API impersonating a user based on the request header (x-remote-user: user1):
curl -X POST
http://localhost:8000/api/dcim/racks/
-H 'authorization: Token e522782df5ff458d521f470e758b729d533e0bfb'
-H 'cache-control: no-cache'
-H 'content-type: application/json'
-H 'postman-token: 7cb8287c-0d67-784e-bad6-16217995aec5'
-H 'x-remote-user: user1'
-d '{
"name": "Rack 1",
"site": 1,
"status": "active"
}'

Expected Behavior

The user1 is automatically created in NetBox and the creation of the rack happens under user1's identity.
The NetBox changelog (/extras/changelog/) shows that the rack was created under user1

Observed Behavior

The user1 is automatically created in NetBox, however the NetBox API returns:
403: CSRF Failed: CSRF cookie not set.

Originally created by @vongrad on GitHub (Jan 14, 2022). ### NetBox version 3.1.5 ### Python version 3.9 ### Steps to Reproduce 1.) Enable the Remote Authentication: REMOTE_AUTH_ENABLED = True REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' REMOTE_AUTH_HEADER = 'HTTP_X_REMOTE_USER' REMOTE_AUTH_AUTO_CREATE_USER = True 2.) Send a request (create rack) to NetBox API impersonating a user based on the request header (x-remote-user: user1): curl -X POST \ http://localhost:8000/api/dcim/racks/ \ -H 'authorization: Token e522782df5ff458d521f470e758b729d533e0bfb' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -H 'postman-token: 7cb8287c-0d67-784e-bad6-16217995aec5' \ -H 'x-remote-user: user1' \ -d '{ "name": "Rack 1", "site": 1, "status": "active" }' ### Expected Behavior The _user1_ is automatically created in NetBox and the creation of the rack happens under _user1_'s identity. The NetBox changelog (/extras/changelog/) shows that the rack was created under _user1_ ### Observed Behavior The _user1_ is automatically created in NetBox, however the NetBox API returns: 403: CSRF Failed: CSRF cookie not set.

adam added the type: bugpending closurestatus: under review labels 2025-12-29 19:34:34 +01:00

adam closed this issue 2025-12-29 19:34:34 +01:00

adam commented 2025-12-29 19:34:35 +01:00

Author

Owner

Copy Link

@PieterL75 commented on GitHub (Jan 14, 2022):

Make sure to set all the URI in the ALLOWED_HOSTS of the configuration.py.
Just a * is not working

ALLOWED_HOSTS = ['netbox.mydomain.com','1.2.3.4','127.0.0.1']

@PieterL75 commented on GitHub (Jan 14, 2022): Make sure to set all the URI in the ALLOWED_HOSTS of the configuration.py. Just a * is not working ALLOWED_HOSTS = ['netbox.mydomain.com','1.2.3.4','127.0.0.1']

adam commented 2025-12-29 19:34:36 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jan 14, 2022):

I'm fairly certain this is to be expected. Django employs a CSRF token to guard against cross-site request forgeries. This token must be present in the form data for every request, which requires the client to ascertain the token before the request is made.

In the conventional workflow, the client first issues a GET request to render the form, which includes the CSRF token, for completion by the user. In the second request, a POST, the form data (including the CSRF token) is submitted.

I'm not sure what led you to this approach, but a far simpler method would be to utilize the REST API.

Send a request (create rack) to NetBox API impersonating a user based on the request header (x-remote-user: user1):

I assume you enabled this just for testing, but I feel it necessary to point out that the HTTP server should never be configured to accept this header from a client directly.

@jeremystretch commented on GitHub (Jan 14, 2022): I'm fairly certain this is to be expected. Django employs a [CSRF token](https://docs.djangoproject.com/en/stable/ref/csrf/) to guard against cross-site request forgeries. This token must be present in the form data for every request, which requires the client to ascertain the token before the request is made. In the conventional workflow, the client first issues a GET request to render the form, which includes the CSRF token, for completion by the user. In the second request, a POST, the form data (including the CSRF token) is submitted. I'm not sure what led you to this approach, but a far simpler method would be to utilize the REST API. > Send a request (create rack) to NetBox API impersonating a user based on the request header (x-remote-user: user1): I assume you enabled this just for testing, but I feel it necessary to point out that the HTTP server should never be configured to accept this header from a client directly.

adam commented 2025-12-29 19:34:36 +01:00

Author

Owner

Copy Link

@vongrad commented on GitHub (Jan 20, 2022):

I am utilizing the REST API, not the conventional workflow. I would expect that the CSRF token is not required when talking directly to the REST API. Also, when sending the same request without the x-remote-user header (and not supplying any CSRF token), the request works so I assume it has to be something directly related to supplying the x-remote-user header.

@vongrad commented on GitHub (Jan 20, 2022): I am utilizing the REST API, not the conventional workflow. I would expect that the CSRF token is not required when talking directly to the REST API. Also, when sending the same request without the x-remote-user header (and not supplying any CSRF token), the request works so I assume it has to be something directly related to supplying the x-remote-user header.

adam commented 2025-12-29 19:34:36 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jan 20, 2022):

I would expect that the CSRF token is not required when talking directly to the REST API.

It isn't; all you need is an authentication token, which authenticates the user. (I don't know what you're doing with the postman-token header, but it's also not needed.)

Why are you trying to pass the X-REMOTE-USER header directly from the client? You already have a token.

@jeremystretch commented on GitHub (Jan 20, 2022): > I would expect that the CSRF token is not required when talking directly to the REST API. It isn't; all you need is an [authentication token](https://netbox.readthedocs.io/en/stable/rest-api/authentication/), which authenticates the user. (I don't know what you're doing with the `postman-token` header, but it's also not needed.) Why are you trying to pass the `X-REMOTE-USER` header directly from the client? You already have a token.

adam commented 2025-12-29 19:34:36 +01:00

Author

Owner

Copy Link

@vongrad commented on GitHub (Jan 20, 2022):

I am testing the REST API from Postman, hence the postman-token header.
The way I understood the Remote Authentication in NetBox is that I still need to authenticate using the Authentication token, but then can impersonate a different user using the X-REMOTE-USER header. Is that the case?

@vongrad commented on GitHub (Jan 20, 2022): I am testing the REST API from Postman, hence the postman-token header. The way I understood the Remote Authentication in NetBox is that I still need to authenticate using the Authentication token, but then can impersonate a different user using the X-REMOTE-USER header. Is that the case?

adam commented 2025-12-29 19:34:36 +01:00

Author

Owner

Copy Link

@vongrad commented on GitHub (Feb 9, 2022):

Any update on this? @jeremystretch

@vongrad commented on GitHub (Feb 9, 2022): Any update on this? @jeremystretch

adam commented 2025-12-29 19:34:37 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Apr 11, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Apr 11, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).

adam commented 2025-12-29 19:34:37 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Apr 11, 2022):

I don't believe impersonation is supported as of yet. See #8863

@DanSheps commented on GitHub (Apr 11, 2022): I don't believe impersonation is supported as of yet. See #8863

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label pending closure status: under review type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#5945