PPS-588 add guppy csrf #2430
PPS-588 add guppy csrf #2430
Conversation
| @@ -1,4 +1,8 @@ | |||
| location /guppy/ { | |||
| if ($csrf_check !~ ^ok-\S.+$) { | |||
There was a problem hiding this comment.
i don't think we can't merge this 🤔 like you mentioned in the PR description, all the data commons that don't have the latest data-portal and guppy will fail... we need to somehow make this conditional based on the deployed version of portal and guppy, or leave it out for now and merge it in a few months once everyone has deployed the new portal and guppy.
But iirc we need this for a security ticket? if there's a deadline we might have to make everyone upgrade portal and guppy. Not great right before we all go on break 😬 can it be pushed to Jan, or even Feb when the change is included in 2024.02?
There was a problem hiding this comment.
Yeah that is true, the process we have formulized is not to merge this right away. The Guppy and Portal changes will be merged, and then the Portal changes will be cherry-picked into the 2023.12 release (no need to update Guppy since the Guppy changes are purely frontend). And Elise will continue her work on updating envs to ES7, which will bring all these envs to Portal 2023.12. After that we then we will merge this cloud-auto PR and re-roll Portal in those envs
| @@ -1,4 +1,8 @@ | |||
| location /guppy/ { | |||
| if ($csrf_check !~ ^ok-\S.+$) { | |||
| return 403 "failed csrf check"; | |||
There was a problem hiding this comment.
maybe this could say "failed csrf check. Make sure to use guppy version >=x and data-portal version >=y"
There was a problem hiding this comment.
Good call, I can update this
Jira Ticket: PPS-588
Improvements
Deployment changes