Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Complete CSRF cleanup for Teleport 18 #50534

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Complete CSRF cleanup for Teleport 18 #50534

wants to merge 3 commits into from

Conversation

zmb3
Copy link
Collaborator

@zmb3 zmb3 commented Dec 21, 2024

This is the last OSS PR planned to simplify our CSRF package going forward.

Best to review commit-by-commit.

  • The first commit is a partial revert that restores the use of CSRF tokens in SSO flows.
    SSO flows are the one case where we need to rely on a cookie with a CSRF token because
    a bearer token is not available to users prior to authenticating.
  • The 2nd commit removes some unused code and makes it clear that our CSRF package is now
    focused solely on protecting against login CSRF.
  • The final commit cleans up some tests that no longer need to provide a CSRF cookie
    and expands our godocs in a few important areas.

zmb3 added 3 commits December 21, 2024 10:27
This is a partial revert of #50358.
We need to keep the CSRF token in the SSO flows for now, as it is
used to ensure that the flow is completed by the same actor who
initiated the sign-on.
This package is only used to protect against login CSRF with SSO flows.

Teleport's web API is protected from CSRF by nature of using a bearer
token, and does not require this package. This particular pacakge is
only necessary for SSO because the user is not yet logged in when the
SSO flow begins, so they don't have a bearer token.
Additionally expand upon the godocs for our various middlewares
so that it's clear which ones provide CSRF protection.
@zmb3 zmb3 requested a review from flyinghermit December 21, 2024 17:58
@zmb3 zmb3 added the no-changelog Indicates that a PR does not require a changelog entry label Dec 21, 2024
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-50534.d3pp5qlev8mo18.amplifyapp.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant