REST API Posting two request simultaneously with different properties fails with 403 status code due to CSRF check

Question

I'm sending two post requests using the REST API: http://localhost:8111/app/rest/buildQueue but my second request fails with

403 Forbidden: Responding with 403 status code due to failed CSRF check: no "Origin" header is present and no authentication provided with the request, consider adding "Origin: http://localhost:8111" header.

I'm wondering why is this happening since if I run the build in the UI and change the params ex. build1 has %version=2% and build2 has %version=3% it will run parallel with each other running on different available agents.

Here's my json request:

REST API endpoint: http://localhost:8111/app/rest/buildQueue

JSON body:

{
  "branchName": "master",
  "buildType": {
    "id": "DockerBuild",
    "projectId": "Test"
  },
  "properties": {
    "property": [
      {
        "name": "DOCKER_IMAGE_NAME",
        "value": "test-3"
      },
      {
        "name": "SNAPSHOT_DEPENDENCY_VERSION",
        "value": "0.6"
      }
    ]
  }
}

Am I missing a parameter to be able to run builds in parallel with each other?

Answer 1

When you face problems regarding CSRF protection in TeamCity (for example, you get the "Responding with 403 status code due to failed CSRF check" response from the server), you can follow these steps:

• If you use a reverse proxy, make sure you correctly configure Host/Origin headers, as described above. In the meantime, you may want to add the public URL of your server to CORS-enabled origins.

• You can temporary disable CSRF protection at all by setting the teamcity.csrf.origin.check.enabled=logOnly internal property.

• Information about failed CSRF attempts are logged into TeamCity/logs/teamcity-auth.log files. For more detailed diagnostics of the requests, enable debug-auth logging preset.

Try pass in the request header -H 'Origin: http://localhost:8111'

Answer 2

Maybe this can be useful for someone, I got the same error with a single POST using Postman:

403 Forbidden: Responding with 403 status code due to failed CSRF check: no "Origin" header is present and no authentication provided with the request, consider adding "Origin: http://teamcity:20011" header.

So I followed the recommendation of the error message, and in Header I added "Origin" with the value "http://teamcity:20011" and that fixed the issue. BTW, in Authorization I selected "Bearer Token" and I pasted the token generated previously through TeamCity. This is the call:

http://teamcity:20011/app/rest/buildQueue 

I was just testing how to trigger a build using the API and it worked successfully. Now the following step is to implement this call using JavaScript.

Answer 3

Request a CSRF header with the appropriate request: https://teamcity/authenticationTest.html?csrf

and set it in the "X-TC-CSRF-TOKEN" header of your POST request

Answer 4

If you specify an Access Token to the request header like Authorization: Bearer ..., you don't need to specify a CSRF token, and what you should actually check is if you're not sending Cookies.

This is from the developer in JetBrains:

If you're using a token-based authentication, there should be no need to provide CSRF token header and obtain it with authenticationTest.html call. In this scenario, it is expected that there are no session Cookies in the HTTP request (otherwise, TeamCity will try to find a token).

I.e. basically, you should be able to do the HTTP call in no-session way by providing the Authorization: Bearer {{token}} header only.

https://youtrack.jetbrains.com/issue/TW-69566/Flaky-builds-with-CSRF-Header-X-TC-CSRF-Token-does-not-match-CSRF-session-value#focus=Comments-27-4644138.0-0

Well, the error and the documentation don't seem to explain this, though...