mirrors/nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus synced 2026-05-17 05:11:50 +00:00
Code Issues Releases Wiki Activity

Replace CSRF source from cookie to header in the console requests (#3047)

Browse Source 
* Update XSRF cookie to be a header

* Replace CSRF cookie with header
This commit is contained in:
Pavlo Tkach
2026-05-15 13:45:33 -04:00
committed by GitHub
parent 0998d5485c
commit d30cc202d2
4 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
console-webapp/src/app/app.module.ts
View File

@@ -23,7 +23,11 @@ import { MaterialModule } from './material.module';
import { BackendService } from './shared/services/backend.service';
import { provideHttpClient } from '@angular/common/http';
import {
HttpClientXsrfModule,
provideHttpClient,
withInterceptorsFromDi,
} from '@angular/common/http';
import { MAT_FORM_FIELD_DEFAULT_OPTIONS } from '@angular/material/form-field';
import { BillingInfoComponent } from './billingInfo/billingInfo.component';
import {
@@ -118,6 +122,10 @@ export class SelectedRegistrarModule {}
MaterialModule,
SelectedRegistrarModule,
SnackBarModule,
HttpClientXsrfModule.withOptions({
cookieName: 'X-CSRF-Token',
headerName: 'X-CSRF-Token',
}),
],
providers: [
BackendService,
@@ -130,7 +138,7 @@ export class SelectedRegistrarModule {}
subscriptSizing: 'dynamic',
},
},
provideHttpClient(),
provideHttpClient(withInterceptorsFromDi()),
],
})
export class AppModule {}

15
core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java
View File

@@ -46,11 +46,8 @@ import google.registry.security.XsrfTokenManager;
import google.registry.util.DiffUtils;
import google.registry.util.RegistryEnvironment;
import jakarta.inject.Inject;
import jakarta.servlet.http.Cookie;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
@@ -143,14 +140,10 @@ public abstract class ConsoleApiAction implements Runnable {
}
private boolean verifyXSRF(User user) {
Optional<Cookie> maybeCookie =
Arrays.stream(consoleApiParams.request().getCookies())
.filter(c -> XsrfTokenManager.X_CSRF_TOKEN.equals(c.getName()))
.findFirst();
if (maybeCookie.isEmpty()
|| !consoleApiParams
.xsrfTokenManager()
.validateToken(user.getEmailAddress(), maybeCookie.get().getValue())) {
String xsrfToken = consoleApiParams.request().getHeader(XsrfTokenManager.X_CSRF_TOKEN);
if (xsrfToken == null
|| xsrfToken.isEmpty()
|| !consoleApiParams.xsrfTokenManager().validateToken(user.getEmailAddress(), xsrfToken)) {
consoleApiParams.response().setStatus(SC_UNAUTHORIZED);
return false;
}

1
core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java
View File

@@ -65,6 +65,7 @@ public class ConsoleUserDataAction extends ConsoleApiAction {
XsrfTokenManager.X_CSRF_TOKEN,
consoleApiParams.xsrfTokenManager().generateToken(user.getEmailAddress()));
xsrfCookie.setSecure(true);
xsrfCookie.setPath("/");
consoleApiParams.response().addCookie(xsrfCookie);
JSONObject json =

11
core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java
View File

@@ -38,14 +38,11 @@ public final class ConsoleApiParamsUtils {
new SendEmailUtils(ImmutableList.of("notification@test.example"), gmailClient);
XsrfTokenManager xsrfTokenManager =
new XsrfTokenManager(new FakeClock(Instant.parse("2020-02-02T01:23:45Z")));
String token =
xsrfTokenManager.generateToken(authResult.user().map(User::getEmailAddress).orElse(""));
when(request.getCookies())
.thenReturn(
new Cookie[] {
new Cookie(
XsrfTokenManager.X_CSRF_TOKEN,
xsrfTokenManager.generateToken(
authResult.user().map(User::getEmailAddress).orElse("")))
});
.thenReturn(new Cookie[] {new Cookie(XsrfTokenManager.X_CSRF_TOKEN, token)});
when(request.getHeader(XsrfTokenManager.X_CSRF_TOKEN)).thenReturn(token);
when(request.getRequestURI()).thenReturn("/console/fake-url");
return ConsoleApiParams.create(
request,