8
votes
Can I get some advice?
TL:DR: I can't log in to Tildes from Links browser. Other websites are fine.
I'm not the most computer-literate person (especially when it comes to the Internet). I've been getting into Linux and Arch lately, so I'm a little bit better at it now. So I've been trying to learn text browsers (my choice is Links), and although it's been going fine, I can't log in to Tildes. Other websites like Google or Reddit I can log in, but not Tildes for some reason. I enter my username, password, but then it just takes me to the 'we're invite only' page. When I press 'register', it doesn't even lead to register page, it puts me to the 'we're invite only' page again.
I know there's some developers here, do you know what could be the problem?
I'm getting "400 Bad CSRF Origin". Looks like security is getting in the way, as usual. You are not doing anything wrong, it should work, but doesn't.
What does this mean? Is it the site who's refusing to log me in or is it the Links' fault?
Having done a little digging, it looks like Links doesn't send the
refererHTTP header - which is acceptable from a technical standpoint, as it's marked as optional in the spec (and is easily forged anyway).Some server side frameworks (from the wording of the error, Google suggests Pyramid in this case), make use of that header in their CSRF checking - which is used to ensure that a request really did come from the site in question - and potentially assume a forgery if it's missing. The specific code in Pyramid can be found here: https://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/csrf.html
Basically, it looks like tildes' security config is strict enough that it's blocking your legitimate requests.
Yeah, this is the default Pyramid setup for CSRF checking. I can probably disable the Origin check though, I'm not sure if it really adds any meaningful security.
Just looking into this a bit more, it seems like using the
RefererorOriginheader is recommended pretty strongly: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Identifying_Source_OriginHowever, since I'm also using a CSRF token it's probably not truly necessary to do both.
In the end, I think this is mostly an issue currently because the site can't be used while logged out. Since Links doesn't support Javascript anyway, the site won't be very functional even if you're logged in. Right now it's required to log in to even be able to browse, but once you can browse logged-out I'm not sure if Links users would even want to bother.
The site is refusing to log you in. You might want to report this in ~tildes.
fwiw i saw this a while ago, i used lynx and that worked fine. have you tried other terminal-based browsers?