CSRF protection documentation update

eclipse-pass · Jun 26, 2024 · fb797a0 · fb797a0
1 parent bb21273
commit fb797a0
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -110,6 +110,10 @@ docker run --name=idp -p 8090:8080 -e SIMPLESAMLPHP_SP_ENTITY_ID=https://sp.pass
 ```
 Note the volume mount which is set the user information appropriately for PASS.
 
+# CSRF protection
+
+Requests which have side effects (not a GET, HEAD, or OPTIONS and any request to /doi) are protected from CSRF through the use of a token. The client must provide a cookie XSRF-TOKEN and set a header X-XSRF-TOKEN to the same value. Clients can use any value they want. Browser clients will have the cookie value set by responses and so must first make a non-protected request.
+
 # App service
 
 The PASS application is available at `/app/` and `/` is redirected to `/app/`. Requests are resolved against the location given by the environment variable `PASS_CORE_APP_LOCATION`. If a request cannot be resolved, then `/app/index.html` will be returned.  This allows the user interface to handle paths which may not resolve to files.

diff --git a/pass-core-main/src/main/java/org/eclipse/pass/main/security/CsrfCookieFilter.java b/pass-core-main/src/main/java/org/eclipse/pass/main/security/CsrfCookieFilter.java
@@ -10,7 +10,8 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 
 /**
- * Ensure CSRF token cookie is added.
+ * Ensure CSRF token cookie is added. See
+ * https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-integration-javascript-spa
  */
 public class CsrfCookieFilter extends OncePerRequestFilter {
     @Override

diff --git a/pass-core-main/src/main/java/org/eclipse/pass/main/security/SpaCsrfTokenRequestHandler.java b/pass-core-main/src/main/java/org/eclipse/pass/main/security/SpaCsrfTokenRequestHandler.java
@@ -8,9 +8,11 @@
 import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
 import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
+import org.springframework.util.StringUtils;
 
 /**
- * Handle case of single page application which puts CSRF token cookie value into header.
+ * Handle case of single page application which puts CSRF token cookie value into header. See
+ * https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-integration-javascript-spa
  */
 public class SpaCsrfTokenRequestHandler extends CsrfTokenRequestAttributeHandler {
     private final CsrfTokenRequestHandler delegate = new XorCsrfTokenRequestAttributeHandler();
@@ -34,7 +36,7 @@ public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfTo
          */
         String token = request.getHeader(csrfToken.getHeaderName());
 
-        if (token != null && !token.isEmpty()) {
+        if (StringUtils.hasText(token)) {
             return super.resolveCsrfTokenValue(request, csrfToken);
         }