Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18850

401 Anti cross-site request forgery token mismatch blocks valid npm client publish and login

    XMLWordPrintable

    Details

      Description

      Nexus has an anti-csrf request filter. This filter may block otherwise valid npm publish attempts with a message 401 Anti cross-site request forgery token mismatch.

      npm verb publish registryBase https://example.com/repository/veneer/
      npm verb request uri https://example.com/repository/veneer/@veneer%2fcore
      npm verb request always-auth set; sending authorization
      npm info attempt registry request try #1 at 11:46:25
      npm verb request id 42115f81eec2cf80
      npm http request PUT https://example.com/repository/veneer/@veneer%2fcore
      REQUEST { url:
         Url {
           protocol: 'https:',
           slashes: true,
           auth: 'veneer.bot:********',
           host: 'example.com',
           port: null,
           hostname: 'example.com',
           hash: null,
           search: null,
           query: null,
           pathname: '/repository/veneer/@veneer%2fcore',
           path: '/repository/veneer/@veneer%2fcore',
           href: 'https://example.com/repository/veneer/@veneer%2fcore' },
        method: 'PUT',
        headers:
         { 'accept-encoding': 'gzip',
           version: '6.4.1',
           accept: 'application/json',
           referer: 'publish',
           'npm-session': '42115f81eec2cf80',
           'npm-in-ci': 'false',
           'user-agent': 'npm/6.4.1 node/v8.11.3 linux x64',
           'npm-scope': '@veneer' },
        strictSSL: false,
        cert: null,
        key: null,
        ca: null,
        agent:
         Agent {
           domain: null,
           _events: { free: [Function] },
           _eventsCount: 1,
           _maxListeners: undefined,
           defaultPort: 443,
           protocol: 'https:',
           options:
            { key: null,
              cert: null,
              ca: null,
              rejectUnauthorized: false,
              localAddress: undefined,
              maxSockets: 50,
              keepAlive: true,
              path: null },
           requests: {},
           sockets: {},
           freeSockets: {},
           keepAliveMsecs: 1000,
           keepAlive: true,
           maxSockets: 50,
           maxFreeSockets: 256,
           maxCachedSessions: 100,
           _sessionCache: { map: {}, list: [] } },
        proxy: 'http://proxy.example.com:8080/',
        followRedirect: true,
        encoding: null,
        json:
         { _id: '@veneer/core',
           name: '@veneer/core',
           description: 'Veneer Core',
           'dist-tags': { latest: '0.0.0-dummy.3' },
           versions: { '0.0.0-dummy.3': [Object] },
           readme: 'ERROR: No README data found!',
           maintainers: [ [Object] ],
           _attachments: { '@veneer/core-0.0.0-dummy.3.tgz': [Object] } },
        callback: [Function] }
      REQUEST make request https://example.com/repository/veneer/@veneer%2fcore
      REQUEST onRequestResponse https://example.com/repository/veneer/@veneer%2fcore 401 { 'content-type': 'text/plain;charset=iso-8859-1',
        date: 'Wed, 16 Jan 2019 13:46:38 GMT',
        server: 'Nexus/3.15.0-01 (PRO)',
        'x-content-type-options': 'nosniff',
        'content-length': '46',
        connection: 'Close' }
      REQUEST reading response's body
      REQUEST finish init function https://example.com/repository/veneer/@veneer%2fcore
      REQUEST response end https://example.com/repository/veneer/@veneer%2fcore 401 { 'content-type': 'text/plain;charset=iso-8859-1',
        date: 'Wed, 16 Jan 2019 13:46:38 GMT',
        server: 'Nexus/3.15.0-01 (PRO)',
        'x-content-type-options': 'nosniff',
        'content-length': '46',
        connection: 'Close' }
      REQUEST end event https://example.com/repository/veneer/@veneer%2fcore
      REQUEST has body https://example.com/repository/veneer/@veneer%2fcore 46
      REQUEST invalid JSON received https://example.com/repository/veneer/@veneer%2fcore
      REQUEST emitting complete https://example.com/repository/veneer/@veneer%2fcore
      npm http 401 https://example.com/repository/veneer/@veneer%2fcore
      npm verb bad json Anti cross-site request forgery token mismatch
      npm ERR! registry error parsing json
      npm verb headers { 'content-type': 'text/plain;charset=iso-8859-1',
      npm verb headers   date: 'Wed, 16 Jan 2019 13:46:38 GMT',
      npm verb headers   server: 'Nexus/3.15.0-01 (PRO)',
      npm verb headers   'x-content-type-options': 'nosniff',
      npm verb headers   'content-length': '46',
      npm verb headers   connection: 'Close' }
      npm ERR! publish Failed PUT 401
      npm verb stack SyntaxError: Unexpected token A in JSON at position 0
      npm verb stack Anti cross-site request forgery token mismatch
      npm verb stack     at JSON.parse (<anonymous>)
      npm verb stack     at RegClient.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:243:23)
      npm verb stack     at Request._callback (/home/example/n/lib/node_modules/npm/node_modules/npm-registry-client/lib/request.js:216:14)
      npm verb stack     at Request.self.callback (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:185:22)
      npm verb stack     at emitTwo (events.js:126:13)
      npm verb stack     at Request.emit (events.js:214:7)
      npm verb stack     at Request.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:1161:10)
      npm verb stack     at emitOne (events.js:116:13)
      npm verb stack     at Request.emit (events.js:211:7)
      npm verb stack     at IncomingMessage.<anonymous> (/home/example/n/lib/node_modules/npm/node_modules/request/request.js:1083:12)
      npm verb stack     at Object.onceWrapper (events.js:313:30)
      npm verb stack     at emitNone (events.js:111:20)
      npm verb stack     at IncomingMessage.emit (events.js:208:7)
      npm verb stack     at endReadableNT (_stream_readable.js:1064:12)
      npm verb stack     at _combinedTickCallback (internal/process/next_tick.js:138:11)
      npm verb stack     at process._tickCallback (internal/process/next_tick.js:180:9)
      npm verb cwd /home/example/workspace/veneer/veneer/packages/core
      npm verb Linux 4.13.0-45-generic
      npm verb argv "/home/example/n/bin/node" "/home/example/.local/bin/npm" "publish" "--verbose" "--log-level=silly"
      npm verb node v8.11.3
      npm verb npm  v6.4.1
      npm ERR! Unexpected token A in JSON at position 0
      npm ERR! Anti cross-site request forgery token mismatch
      

      Permanent Workaround

      The bug has been fixed in 3.15.1 - please upgrade.

      Temporary Workaround for 3.15.0

      The anti-csrf filter can be temporarily disabled using a system property.

      Edit sonatype-work/nexus3/etc/nexus.properties

      Add this property on a new line:

      nexus.security.anticsrftoken.enabled=false

      Restart Nexus.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mpiggott Matthew Piggott
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title