Skip to content

Commit

Permalink
101573: No default csrf set-cookie on statistics endpoints
Browse files Browse the repository at this point in the history
  • Loading branch information
@Atmire-Kristof
Atmire-Kristof committed May 19, 2023
1 parent 724a914 commit c9d47d7
Showing 1 changed file with 15 additions and 5 deletions.
20 changes: 15 additions & 5 deletions ...e-server-webapp/src/main/java/org/dspace/app/rest/security/DSpaceCsrfTokenRepository.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,19 @@ public CsrfToken generateToken(HttpServletRequest request) {
@Override
public void saveToken(CsrfToken token, HttpServletRequest request,
HttpServletResponse response) {
if (request.getMethod().equals("GET")) {
// Custom conditions on which to avoid certain default CSRF strategies to add csrf cookies to the response
if (request.getMethod().equals("GET") || request.getRequestURI().contains("/api/statistics/")) {
return;
}
saveTokenWithoutConditions(token, request, response);
}

/**
* Save the csrf token to the response (see saveToken method), assuming custom conditional checks have already been
* applied
*/
public void saveTokenWithoutConditions(CsrfToken token, HttpServletRequest request,
HttpServletResponse response) {
String tokenValue = token == null ? "" : token.getToken();
Cookie cookie = new Cookie(this.cookieName, tokenValue);
cookie.setSecure(request.isSecure());
Expand Down Expand Up @@ -126,9 +136,9 @@ public void saveToken(CsrfToken token, HttpServletRequest request,
sameSite = "Lax";
}
ResponseCookie responseCookie = ResponseCookie.from(cookie.getName(), cookie.getValue())
.path(cookie.getPath()).maxAge(cookie.getMaxAge())
.domain(cookie.getDomain()).httpOnly(cookie.isHttpOnly())
.secure(cookie.getSecure()).sameSite(sameSite).build();
.path(cookie.getPath()).maxAge(cookie.getMaxAge())
.domain(cookie.getDomain()).httpOnly(cookie.isHttpOnly())
.secure(cookie.getSecure()).sameSite(sameSite).build();

// Write the ResponseCookie to the Set-Cookie header
// This cookie is only used by the backend & not needed by client
Expand All @@ -151,7 +161,7 @@ public void saveNewTokenWhenCookieAndHeaderDontMatch(HttpServletRequest request,
CsrfToken headerToken = loadTokenFromHeader(request);
if (token == null || headerToken == null || !token.getToken().equals(headerToken.getToken())) {
CsrfToken newToken = generateToken(request);
saveToken(newToken, request, response);
saveTokenWithoutConditions(newToken, request, response);
}
}

Expand Down

0 comments on commit c9d47d7

Please sign in to comment.