diff --git a/console-webapp/src/app/app.module.ts b/console-webapp/src/app/app.module.ts index 2aa9e2323..1e859b5e9 100644 --- a/console-webapp/src/app/app.module.ts +++ b/console-webapp/src/app/app.module.ts @@ -23,7 +23,11 @@ import { MaterialModule } from './material.module'; import { BackendService } from './shared/services/backend.service'; -import { provideHttpClient } from '@angular/common/http'; +import { + HttpClientXsrfModule, + provideHttpClient, + withInterceptorsFromDi, +} from '@angular/common/http'; import { MAT_FORM_FIELD_DEFAULT_OPTIONS } from '@angular/material/form-field'; import { BillingInfoComponent } from './billingInfo/billingInfo.component'; import { @@ -118,6 +122,10 @@ export class SelectedRegistrarModule {} MaterialModule, SelectedRegistrarModule, SnackBarModule, + HttpClientXsrfModule.withOptions({ + cookieName: 'X-CSRF-Token', + headerName: 'X-CSRF-Token', + }), ], providers: [ BackendService, @@ -130,7 +138,7 @@ export class SelectedRegistrarModule {} subscriptSizing: 'dynamic', }, }, - provideHttpClient(), + provideHttpClient(withInterceptorsFromDi()), ], }) export class AppModule {} diff --git a/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java b/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java index 322c55992..6f347fe63 100644 --- a/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java +++ b/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java @@ -46,11 +46,8 @@ import google.registry.security.XsrfTokenManager; import google.registry.util.DiffUtils; import google.registry.util.RegistryEnvironment; import jakarta.inject.Inject; -import jakarta.servlet.http.Cookie; -import java.util.Arrays; import java.util.LinkedHashMap; import java.util.Map; -import java.util.Optional; import java.util.Set; import java.util.stream.Stream; @@ -143,14 +140,10 @@ public abstract class ConsoleApiAction implements Runnable { } private boolean verifyXSRF(User user) { - Optional maybeCookie = - Arrays.stream(consoleApiParams.request().getCookies()) - .filter(c -> XsrfTokenManager.X_CSRF_TOKEN.equals(c.getName())) - .findFirst(); - if (maybeCookie.isEmpty() - || !consoleApiParams - .xsrfTokenManager() - .validateToken(user.getEmailAddress(), maybeCookie.get().getValue())) { + String xsrfToken = consoleApiParams.request().getHeader(XsrfTokenManager.X_CSRF_TOKEN); + if (xsrfToken == null + || xsrfToken.isEmpty() + || !consoleApiParams.xsrfTokenManager().validateToken(user.getEmailAddress(), xsrfToken)) { consoleApiParams.response().setStatus(SC_UNAUTHORIZED); return false; } diff --git a/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java b/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java index f4def0e7a..af542e22b 100644 --- a/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java +++ b/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java @@ -65,6 +65,7 @@ public class ConsoleUserDataAction extends ConsoleApiAction { XsrfTokenManager.X_CSRF_TOKEN, consoleApiParams.xsrfTokenManager().generateToken(user.getEmailAddress())); xsrfCookie.setSecure(true); + xsrfCookie.setPath("/"); consoleApiParams.response().addCookie(xsrfCookie); JSONObject json = diff --git a/core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java b/core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java index 31219ef1b..f116af329 100644 --- a/core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java +++ b/core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java @@ -38,14 +38,11 @@ public final class ConsoleApiParamsUtils { new SendEmailUtils(ImmutableList.of("notification@test.example"), gmailClient); XsrfTokenManager xsrfTokenManager = new XsrfTokenManager(new FakeClock(Instant.parse("2020-02-02T01:23:45Z"))); + String token = + xsrfTokenManager.generateToken(authResult.user().map(User::getEmailAddress).orElse("")); when(request.getCookies()) - .thenReturn( - new Cookie[] { - new Cookie( - XsrfTokenManager.X_CSRF_TOKEN, - xsrfTokenManager.generateToken( - authResult.user().map(User::getEmailAddress).orElse(""))) - }); + .thenReturn(new Cookie[] {new Cookie(XsrfTokenManager.X_CSRF_TOKEN, token)}); + when(request.getHeader(XsrfTokenManager.X_CSRF_TOKEN)).thenReturn(token); when(request.getRequestURI()).thenReturn("/console/fake-url"); return ConsoleApiParams.create( request,