Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Master csrf token incorrectly returned as page token #262

Open
forgedhallpass opened this issue Apr 11, 2024 Discussed in #257 · 0 comments
Open

Master csrf token incorrectly returned as page token #262

forgedhallpass opened this issue Apr 11, 2024 Discussed in #257 · 0 comments
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@forgedhallpass
Copy link
Member

Discussed in #257

Originally posted by musaka872 March 27, 2024
Hi,
I'm trying to integrate csrfguard 4.3.0 in our project.
I've configured it to use per-session tokens and not per-page tokens. But when I receive the token in the response header it is returned as page token in this form {pageTokens:{"/page/uri":"csrf-token"}} and then when I send this token in a subsequent request csrfguard compares {pageTokens:{"/page/uri":"csrf-token"}} to "csrf-token" and it fails.
I debugged CsrfGuardFilter and in handleSession method we have:

private void handleSession(final HttpServletRequest httpServletRequest, final InterceptRedirectResponse interceptRedirectResponse, final FilterChain filterChain,
                               final LogicalSession logicalSession, final CsrfGuard csrfGuard) throws IOException, ServletException {

        final String logicalSessionKey = logicalSession.getKey();

        if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {
            filterChain.doFilter(httpServletRequest, interceptRedirectResponse);
        } else {
            logInvalidRequest(httpServletRequest);
        }

        final String requestURI = httpServletRequest.getRequestURI();
        final String generatedToken = csrfGuard.getTokenService().generateTokensIfAbsent(logicalSessionKey, httpServletRequest.getMethod(), requestURI);

        CsrfGuardUtils.addResponseTokenHeader(csrfGuard, httpServletRequest, interceptRedirectResponse, new TokenTO(Collections.singletonMap(requestURI, generatedToken)));
    }

In generateTokenIfAbsent it checks whether the per-page or master token should be generated and generates the correct master token. But then as you can see when TokenTO is created the master token is passed as per-page token and it is send as such in the response header.

Is this a bug or I'm missing something?

I don't want to parse the response header to retrieve the "csrf-token" that csrfguard returns.

Best regards,
Martin

@forgedhallpass forgedhallpass added the bug Something isn't working label Apr 11, 2024
@forgedhallpass forgedhallpass added the help wanted Extra attention is needed label Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

1 participant