Prevent CSRF Filter from verifying token for a specific path

[egorsivenko]

I'm making a custom OAuth authorization server with Quarkus Renarde.

It includes quarkus-rest-csrf dependency which is used for securing endpoints that accept application/x-www-form-urlencoded such as /login, /register, /oauth2/clients/new, etc.

As follows from the OAuth specs, the client sends POST request of type application/x-www-form-urlencoded to get the token after previously obtaining the authorization code.

As the client represents an external application, the authorization server doesn't need to verify CSRF token upon receiving token POST request, because otherwise it's basically impossible to communicate with it.

The only thing I have found in the docs is to restrict CSRF token creation after GET request, but it doesn't seem to fit the case. Is there a way to disable CSRF filter for such a specific endpoint?

[sberyozkin]

@egorsivenko You can tell CSRF filter to look at specific paths only, thus avoiding it checking OAuth handler paths, please check the config, there could be a few more properties there which can help

[egorsivenko]

Thanks for your reply.

From RestCsrfConfig, the only property that aims to help with it, is quarkus.rest-csrf.create-token-path, but it doesn't seem to work even with code example from the docs, where it says that Verify CSRF token only for the /service/user path, ignore other paths such as /service/users, but even after setting quarkus.rest-csrf.create-token-path=/service/user, the POST request to /service/users still returns 400 Bad Request.
https://quarkus.io/guides/security-csrf-prevention#restrict-csrf-token-verification

[sberyozkin]

@egorsivenko Np, it might be a doc bug, can you have a look at https://github.com/quarkusio/quarkus/blob/main/integration-tests/rest-csrf/src/main/resources/application.properties ?

[egorsivenko]

The thing is, all paths that are available with corresponding HTML form pages, are listed in quarkus.rest-csrf.create-token-path. So the CSRF token is being returned after GET request on any page and sent alongside with the token from the form in any POST request. There is no test for the case when some path is not listed and therefore CSRF filter should "avoid checking" POST requests to it. But if you try to do sth like this, the filter will still require token from cookie or header (with the log "CSRF token is not found"), no matter whether the path is specified or not.

Also, from what I've found here, the verification of whether token is required or not, only takes place if the request method is "safe".
So again, I don't see a legitimate way of making CSRF filter "ignore" POST requests from specific paths, or maybe I'm still missing sth?

[sberyozkin]

@egorsivenko Right, the GET is where the server would respond with some form or htmx and it is at this point where the decision must be made if the follow up calls would be expected to be CSRF protected, by default every GET would have its response prepared accordingly or it can be set at create-token-path.

Now, as far as non-safe methods like POST are concerned then they are indeed are expected to carry the token. Right now, I only see a verify-token property that one can use to turn the validation off at the filter level - and then do it manually, as shown here...

Hmm... Looks like we need a property there like, verify-token-exclude-path, and as long as no CSRF cookie is detected on such paths, the non-safe HTTP method requests can go through...

Can you please open an enhancement request ? PR would also be welcome if it can be of interest, but at least please open an issue