From d611de0e7bfd557712d7b2afaebdcfc41f2011ee Mon Sep 17 00:00:00 2001
From: Joep de Jong <joep@joepdejong.com>
Date: Mon, 27 May 2024 21:05:11 +0300
Subject: [PATCH 1/2] Implement CSRF breach protection (to resolve token
 issues)

---
 src/main/java/ch/wisv/events/ChConnectConfiguration.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/ch/wisv/events/ChConnectConfiguration.java b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
index 56d1f8c4..ce6ed2b6 100644
--- a/src/main/java/ch/wisv/events/ChConnectConfiguration.java
+++ b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
@@ -22,6 +22,7 @@
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.CorsConfiguration;
@@ -69,7 +70,9 @@ public class ChConnectConfiguration {
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
                 .cors(Customizer.withDefaults())
-                .csrf(Customizer.withDefaults())
+                .csrf((csrf) -> csrf
+                        .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
+                )
                 .authorizeHttpRequests((authorize) -> authorize
                     .requestMatchers("/administrator/**").hasRole("ADMIN")
                     .requestMatchers("/", "/management/health").permitAll()

From 72ed811c77d74799a25718438a56ace1e091c131 Mon Sep 17 00:00:00 2001
From: Joep de Jong <joep@joepdejong.com>
Date: Mon, 27 May 2024 22:45:59 +0300
Subject: [PATCH 2/2] Merge cors rules

---
 src/main/java/ch/wisv/events/ChConnectConfiguration.java | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/main/java/ch/wisv/events/ChConnectConfiguration.java b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
index ce6ed2b6..d33fefb3 100644
--- a/src/main/java/ch/wisv/events/ChConnectConfiguration.java
+++ b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
@@ -70,9 +70,6 @@ public class ChConnectConfiguration {
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
                 .cors(Customizer.withDefaults())
-                .csrf((csrf) -> csrf
-                        .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
-                )
                 .authorizeHttpRequests((authorize) -> authorize
                     .requestMatchers("/administrator/**").hasRole("ADMIN")
                     .requestMatchers("/", "/management/health").permitAll()
@@ -82,6 +79,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     .logoutSuccessUrl("/")
                     )
                 .csrf(csrf -> csrf
+                    .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
                     .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                     .ignoringRequestMatchers("/api/v1/**")
                 )