Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 Forbidden with CSRF verification failed after updating label-sutdio version [GKE] [helm chart] #6606

Closed
ArmandXUuu opened this issue Nov 6, 2024 · 13 comments
Closed

403 Forbidden with CSRF verification failed after updating label-sutdio version [GKE] [helm chart] #6606

ArmandXUuu opened this issue Nov 6, 2024 · 13 comments

Comments

@ArmandXUuu
Copy link

Describe the bug
Our team has a LabelStudio deployment via helm chart on a Google (Cloud) Kubernetes Engine

After trying to bump the docker image version from 1.13.1 to 1.14.0 users could no longer login with an error saying "Forbidden (403) CSRF verification failed" (see screenshot)

To Reproduce About our implementation
We used this chart:

helm repo add heartex https://charts.heartex.com/
helm repo update heartex

with custom values.yaml + image heartexlabs/label-studio:1.14.0

...
global:
  image:
    repository: heartexlabs/label-studio
    pullPolicy: IfNotPresent
    # tag: "1.13.1"
    tag: "1.14.0"
...
  extraEnvironmentVars:
    EXPERIMENTAL_FEATURES: 1
    LABEL_STUDIO_HOST: "https://labelstudio.ourdomain.com"
    DJANGO_CSRF_TRUSTED_ORIGINS: "https://labelstudio.ourdomain.com" # yeah that's my desperate attempt
    SSRF_PROTECTION_ENABLED: "true"

Other values remain nearly the same as here

Expected behavior
A user should be able to login without any problem

Screenshots
image (1)
image

Environment:

  • OS:
    • Client: MacOS 15.1, Safari / Ubuntu, Firefox
    • K8s: Google Kubernetes Engine 1.29.8-gke.1278000
  • Label Studio Version: 1.14.0

Additional context
I'd be happy to provide more information.
@CertainPassenger
Copy link

CertainPassenger commented Nov 6, 2024
edited
Loading

Same issue here. Label Studio deployed in our Kubernetes Cluster. After the upgrade from 1.13.2 to 1.14.0, using Edge or Firefox in Linux results in the CSRF validation failed error.

@jombooth
Copy link
Contributor

Quick debugging step: does it work if you specify CSRF_TRUSTED_ORIGINS instead of DJANGO_CSRF_TRUSTED_ORIGINS?

@CertainPassenger
Copy link

I've already wanted to say that it also didn't work using CSRF_TRUSTED_ORIGINS, since we tried it already. But we've taken another look at the source code for parsing the CSRF_TRUSTED_ORIGINS in https://github.com/HumanSignal/label-studio/blob/develop/label_studio/core/settings/base.py#L700-L702 and seen that we've set the env variable wrong. Using the following snippet, it's now working for us:

env:
  - name: CSRF_TRUSTED_ORIGINS
    value: "https://example-a.com,https://example-b.com"

@farioas
Copy link
Member

farioas commented Nov 13, 2024

LABEL_STUDIO_HOST is no longer required, can you try with unset LABEL_STUDIO_HOST and CSRF_TRUSTED_ORIGINS env vars?

@ArmandXUuu
Copy link
Author

LABEL_STUDIO_HOST is no longer required, can you try with unset LABEL_STUDIO_HOST and CSRF_TRUSTED_ORIGINS env vars?

Thank you for your reply, I just tried with removing LABEL_STUDIO_HOST and CSRF_TRUSTED_ORIGINS but it still doesn't work.

@ArmandXUuu
Copy link
Author

ArmandXUuu commented Nov 14, 2024
edited
Loading

Quick debugging step: does it work if you specify CSRF_TRUSTED_ORIGINS instead of DJANGO_CSRF_TRUSTED_ORIGINS?

In fact it works ! Thank you !
I've got:

global:
...
  extraEnvironmentVars:
    EXPERIMENTAL_FEATURES: 1
    CSRF_TRUSTED_ORIGINS: "https://labelstudio.ourdomain.com"
    SSRF_PROTECTION_ENABLED: "true"
...

@ArmandXUuu
Copy link
Author

My problem solved, I close this issue, thank you all !

@shhivam
Copy link

shhivam commented Nov 21, 2024

I am on Label Studio 1.14.0 and I am facing the same problem.

LABEL_STUDIO_HOST does nothing, the documentation needs to be updated, I think.

After specifying the following variables, it worked.

EXPERIMENTAL_FEATURES: 1
CSRF_TRUSTED_ORIGINS: "https://labelstudio.ourdomain.com"
SSRF_PROTECTION_ENABLED: "true"

@prestonzen
Copy link

I added these flags but I still have the same CRSF error

@m4tej241
Copy link

Hello guys, can someone tell me where can I change these variables? I can't find the file. Thanks

@ArmandXUuu
Copy link
Author

Hello guys, can someone tell me where can I change these variables? I can't find the file. Thanks

Hey @m4tej241. It depends on how you implement labelstudio. In my case I use officiel helm chart to deploy on Kubernetes. The configurations can be added in global.extraEnvironmentVars.

helm repo add heartex https://charts.heartex.com/
helm repo update
helm upgrade --install labelstudio heartex/label-studio -n prod -f prod/label-studio.yaml

The goal is to create/modify environment variables, for more information you can refer to this doc:
https://labelstud.io/guide/start#Set-environment-variables

@m4tej241
Copy link

Hello @ArmandXUuu I just cloned the github repo and that's it. Is it possible to include it inside .env file that I have in the web folder?

@m4tej241
Copy link

It got fixxed for me when I firstly run the backend server and log in and then turn the frontend server aswell. Before I was starting the frontend while being on the log screen with backend and that caused the error when I tried logging on the frontend server. Hopefully this makes sense to some of you. Take care

@leomaurodesenv leomaurodesenv mentioned this issue Feb 13, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@farioas @jombooth @shhivam @prestonzen @ArmandXUuu @m4tej241 @CertainPassenger