Updates to add csrf and resolve review messages

Darkside138 · Darkside138 · commit d728e4953a2c · 2025-12-17T09:59:17.000-06:00
diff --git a/gradle.properties b/gradle.properties
@@ -1,2 +1,2 @@
-projectVersion=4.1.16
+projectVersion=4.1.17
 org.gradle.configuration-cache=false
diff --git a/src/frontend/src/App.tsx b/src/frontend/src/App.tsx
@@ -16,7 +16,7 @@ import {
   handleOAuthRedirect,
   type DiscordUser
 } from './utils/auth';
-import { getAuthHeaders, fetchWithAuth } from './utils/api';
+import { getAuthHeaders, fetchWithAuth, fetchCsrfToken, getAuthHeadersWithCsrf } from './utils/api';
 import { toast, Toaster } from 'sonner@2.0.3';
 
 interface Sound {
@@ -147,6 +147,9 @@ export default function App() {
         }
         setAuthLoading(false);
       }
+
+      // Fetch CSRF token
+      await fetchCsrfToken();
     };
 
     handleCallback();
@@ -573,7 +576,7 @@ export default function App() {
           mode: 'cors',
           headers: {
             'Content-Type': 'application/json',
-            ...getAuthHeaders()
+            ...getAuthHeadersWithCsrf()
           }
         }
       );
@@ -631,7 +634,7 @@ export default function App() {
           mode: 'cors',
           headers: {
             'Content-Type': 'application/json',
-            ...getAuthHeaders()
+            ...getAuthHeadersWithCsrf()
           }
         }
       );
@@ -716,7 +719,7 @@ export default function App() {
         {
           method: 'POST',
           mode: 'cors',
-          headers: getAuthHeaders()
+          headers: getAuthHeadersWithCsrf()
         }
       );
 
@@ -799,7 +802,7 @@ export default function App() {
         {
           method: 'POST',
           mode: 'cors',
-          headers: getAuthHeaders()
+          headers: getAuthHeadersWithCsrf()
         }
       );
 
@@ -832,7 +835,7 @@ export default function App() {
         {
           method: 'POST',
           mode: 'cors',
-          headers: getAuthHeaders()
+          headers: getAuthHeadersWithCsrf()
         }
       );
 
@@ -881,7 +884,7 @@ export default function App() {
       console.log('📤 Uploading file:', file.name);
 
       // Get auth headers
-      const authHeaders = getAuthHeaders();
+      const authHeaders = getAuthHeadersWithCsrf();
       console.log('📋 Auth headers:', authHeaders);
 
       const response = await fetch(API_ENDPOINTS.UPLOAD, {
diff --git a/src/frontend/src/components/UsersOverlay.tsx b/src/frontend/src/components/UsersOverlay.tsx
@@ -1,6 +1,7 @@
 import React, { useState, useEffect } from 'react';
 import { X, ChevronLeft, ChevronRight, ArrowUpDown, ArrowUp, ArrowDown } from 'lucide-react';
 import { API_ENDPOINTS } from '../config';
+import { fetchWithAuth, getAuthHeaders } from '../utils/api';
 
 interface DiscordUser {
   id: string;
@@ -50,7 +51,7 @@ export function UsersOverlay({ isOpen, onClose, theme, sounds }: UsersOverlayPro
         params.append('sortDir', sortDirection);
       }
 
-      const response = await fetch(
+      const response = await fetchWithAuth(
         `${API_ENDPOINTS.DISCORD_USERS}?${params.toString()}`,
         { mode: 'cors' }
       );
@@ -125,7 +126,7 @@ export function UsersOverlay({ isOpen, onClose, theme, sounds }: UsersOverlayPro
       }
 
       // Call the Spring Boot PATCH endpoint with query parameters
-      const response = await fetch(
+      const response = await fetchWithAuth(
         `${API_ENDPOINTS.DISCORD_USERS}/${userId}?${params.toString()}`,
         {
           method: 'PATCH',
diff --git a/src/frontend/src/config.ts b/src/frontend/src/config.ts
@@ -28,6 +28,7 @@ export const API_ENDPOINTS = {
   AUTH_USER: `${API_BASE_URL}/api/auth/user`,
   AUTH_LOGOUT: `${API_BASE_URL}/api/auth/logout`,
   OAUTH_LOGIN: `${API_BASE_URL}/oauth2/authorization/discord`,
+  CSRF_TOKEN: `${API_BASE_URL}/api/auth/csrf-token`,
   // Bot version
   BOT_VERSION: `${API_BASE_URL}/bot/version`,
 };
diff --git a/src/frontend/src/utils/api.ts b/src/frontend/src/utils/api.ts
@@ -1,5 +1,45 @@
 import { loadAuth } from './auth';
 
+// Store CSRF token in memory
+let csrfToken: string | null = null;
+
+/**
+ * Fetch CSRF token from the backend
+ */
+export async function fetchCsrfToken(): Promise<string | null> {
+  try {
+    const response = await fetch('/api/auth/csrf-token', {
+      credentials: 'include', // Include cookies
+    });
+
+    if (response.ok) {
+      const data = await response.json();
+      csrfToken = data.token;
+      return csrfToken;
+    }
+  } catch (error) {
+    console.error('Failed to fetch CSRF token:', error);
+  }
+
+  return null;
+}
+
+/**
+ * Get the current CSRF token
+ */
+export function getCsrfToken(): string | null {
+  return csrfToken;
+}
+
+/**
+ * Check if the request method requires CSRF token
+ */
+function requiresCsrfToken(method?: string): boolean {
+  if (!method) return false;
+  const upperMethod = method.toUpperCase();
+  return ['POST', 'PUT', 'DELETE', 'PATCH'].includes(upperMethod);
+}
+
 /**
  * Make an authenticated API request with the JWT token
  */
@@ -15,6 +55,11 @@ export async function fetchWithAuth(url: string, options: RequestInit = {}): Pro
     headers['Authorization'] = `Bearer ${auth.accessToken}`;
   }
 
+  // Add CSRF token for mutation requests
+  if (requiresCsrfToken(options.method) && csrfToken) {
+    headers['X-CSRF-TOKEN'] = csrfToken;
+  }
+
   return fetch(url, {
     ...options,
     headers,
@@ -47,3 +92,16 @@ export function getAuthHeaders(): HeadersInit {
 
   return headers;
 }
+
+/**
+ * Get auth headers including CSRF token for mutation requests
+ */
+export function getAuthHeadersWithCsrf(): HeadersInit {
+  const headers = getAuthHeaders();
+
+  if (csrfToken) {
+    headers['X-CSRF-TOKEN'] = csrfToken;
+  }
+
+  return headers;
+}
diff --git a/src/frontend/src/utils/auth.ts b/src/frontend/src/utils/auth.ts
@@ -1,4 +1,5 @@
 import { API_ENDPOINTS } from '../config';
+import { getCsrfToken } from './api';
 
 export interface DiscordUser {
   id: string;
@@ -188,14 +189,21 @@ export async function validateToken(accessToken: string): Promise<DiscordUser |
 
 export async function logout(accessToken: string): Promise<void> {
   try {
+    const headers: Record<string, string> = {
+      'Authorization': `Bearer ${accessToken}`
+    };
+
+    const csrfToken = getCsrfToken();
+    if (csrfToken) {
+      headers['X-CSRF-TOKEN'] = csrfToken;
+    }
+
     await fetch(`${API_ENDPOINTS.AUTH_LOGOUT}`, {
       method: 'POST',
-      headers: {
-        'Authorization': `Bearer ${accessToken}`
-      }
+      headers
     });
   } catch {
     // Ignore errors during logout
   }
   clearAuth();
-}
+}
diff --git a/src/main/java/net/dirtydeeds/discordsoundboard/config/SecurityConfig.java b/src/main/java/net/dirtydeeds/discordsoundboard/config/SecurityConfig.java
@@ -28,7 +28,6 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     .invalidateHttpSession(true)
                     .deleteCookies("JSESSIONID")
             )
-            .csrf(AbstractHttpConfigurer::disable)
             .authorizeHttpRequests((authorizeHttpRequests) ->
                 authorizeHttpRequests
                         .requestMatchers("/**").permitAll().anyRequest().authenticated()
diff --git a/src/main/java/net/dirtydeeds/discordsoundboard/controllers/AuthController.java b/src/main/java/net/dirtydeeds/discordsoundboard/controllers/AuthController.java
@@ -4,6 +4,7 @@
 import net.dirtydeeds.discordsoundboard.util.JwtUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 
@@ -63,6 +64,12 @@ public ResponseEntity<Map<String, Object>> getUser(@RequestHeader("Authorization
         }
     }
 
+    @GetMapping("/csrf-token")
+    @ResponseBody
+    public CsrfToken csrfToken(CsrfToken token) {
+        return token;
+    }
+
     @PostMapping("/logout")
     public ResponseEntity<Void> logout(@RequestHeader("Authorization") String authorization) {
         return ResponseEntity.ok().build();
diff --git a/src/main/java/net/dirtydeeds/discordsoundboard/controllers/DiscordUserController.java b/src/main/java/net/dirtydeeds/discordsoundboard/controllers/DiscordUserController.java
@@ -77,14 +77,13 @@ public Page<DiscordUser> getInvoiceOrSelected(@RequestParam(defaultValue = "0")
 
     @PatchMapping("/{userId}")
     public ResponseEntity<DiscordUser> updateUserSounds(
-            @PathVariable String userId,
-            @RequestParam(required = false) String entranceSound,
-            @RequestParam(required = false) String leaveSound,
-            @RequestHeader(value = "Authorization", required = false) String authorization
-    ) {
+                        @PathVariable String userId,
+                        @RequestParam(required = false) String entranceSound,
+                        @RequestParam(required = false) String leaveSound,
+                        @RequestHeader(value = "Authorization", required = false) String authorization) {
 
         String authId = userRoleConfig.getUserIdFromAuth(authorization);
-        if (userId == null || !userRoleConfig.hasPermission(userId, "manage-users")) {
+        if (userId == null || !userRoleConfig.hasPermission(authId, "manage-users")) {
             return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
         }
 
diff --git a/src/main/java/net/dirtydeeds/discordsoundboard/controllers/SoundController.java b/src/main/java/net/dirtydeeds/discordsoundboard/controllers/SoundController.java
@@ -22,6 +22,7 @@
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.method.annotation.SseEmitter;
+import org.springframework.web.util.HtmlUtils;
 
 import java.io.File;
 import java.io.IOException;
@@ -44,15 +45,15 @@
  * @author dfurrer.
  */
 @Hidden
-
-    private static final Logger log = LoggerFactory.getLogger(SoundController.class);
 @RestController
 @RequestMapping("/api/soundFiles")
 @SuppressWarnings("unused")
 public class SoundController {
 
     private static final long EMITTER_TIMEOUT_MILLIS = TimeUnit.MINUTES.toMillis(5);
 
+    private static final Logger log = LoggerFactory.getLogger(SoundController.class);
+
     @Autowired
     private final UserRoleConfig userRoleConfig;
     @Setter
@@ -257,11 +258,11 @@ public ResponseEntity<String> uploadFile(
             file.transferTo(new File(filePath));
 
             soundService.save(new SoundFile(originalFilename, filePath, "", 0, ZonedDateTime.now(), false, null, 0));
-            log.error("Failed to upload file", e);
+            log.error("Failed to upload file");
 
             broadcastUpdate();
 
-            return ResponseEntity.ok("File uploaded successfully: " + originalFilename);
+            return ResponseEntity.ok("File uploaded successfully: " + HtmlUtils.htmlEscape(originalFilename));
 
         } catch (Exception e) {
             return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-projectVersion=4.1.16`
	`1`	`+projectVersion=4.1.17`
`2`	`2`	`org.gradle.configuration-cache=false`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ import {`
`16`	`16`	`handleOAuthRedirect,`
`17`	`17`	`type DiscordUser`
`18`	`18`	`} from './utils/auth';`
`19`		`-import { getAuthHeaders, fetchWithAuth } from './utils/api';`
	`19`	`+import { getAuthHeaders, fetchWithAuth, fetchCsrfToken, getAuthHeadersWithCsrf } from './utils/api';`
`20`	`20`	`import { toast, Toaster } from 'sonner@2.0.3';`
`21`	`21`
`22`	`22`	`interface Sound {`
`@@ -147,6 +147,9 @@ export default function App() {`
`147`	`147`	`}`
`148`	`148`	`setAuthLoading(false);`
`149`	`149`	`}`
	`150`	`+`
	`151`	`+ // Fetch CSRF token`
	`152`	`+ await fetchCsrfToken();`
`150`	`153`	`};`
`151`	`154`
`152`	`155`	`handleCallback();`
`@@ -573,7 +576,7 @@ export default function App() {`
`573`	`576`	`mode: 'cors',`
`574`	`577`	`headers: {`
`575`	`578`	`'Content-Type': 'application/json',`
`576`		`- ...getAuthHeaders()`
	`579`	`+ ...getAuthHeadersWithCsrf()`
`577`	`580`	`}`
`578`	`581`	`}`
`579`	`582`	`);`
`@@ -631,7 +634,7 @@ export default function App() {`
`631`	`634`	`mode: 'cors',`
`632`	`635`	`headers: {`
`633`	`636`	`'Content-Type': 'application/json',`
`634`		`- ...getAuthHeaders()`
	`637`	`+ ...getAuthHeadersWithCsrf()`
`635`	`638`	`}`
`636`	`639`	`}`
`637`	`640`	`);`
`@@ -716,7 +719,7 @@ export default function App() {`
`716`	`719`	`{`
`717`	`720`	`method: 'POST',`
`718`	`721`	`mode: 'cors',`
`719`		`- headers: getAuthHeaders()`
	`722`	`+ headers: getAuthHeadersWithCsrf()`
`720`	`723`	`}`
`721`	`724`	`);`
`722`	`725`
`@@ -799,7 +802,7 @@ export default function App() {`
`799`	`802`	`{`
`800`	`803`	`method: 'POST',`
`801`	`804`	`mode: 'cors',`
`802`		`- headers: getAuthHeaders()`
	`805`	`+ headers: getAuthHeadersWithCsrf()`
`803`	`806`	`}`
`804`	`807`	`);`
`805`	`808`
`@@ -832,7 +835,7 @@ export default function App() {`
`832`	`835`	`{`
`833`	`836`	`method: 'POST',`
`834`	`837`	`mode: 'cors',`
`835`		`- headers: getAuthHeaders()`
	`838`	`+ headers: getAuthHeadersWithCsrf()`
`836`	`839`	`}`
`837`	`840`	`);`
`838`	`841`
`@@ -881,7 +884,7 @@ export default function App() {`
`881`	`884`	`console.log('📤 Uploading file:', file.name);`
`882`	`885`
`883`	`886`	`// Get auth headers`
`884`		`- const authHeaders = getAuthHeaders();`
	`887`	`+ const authHeaders = getAuthHeadersWithCsrf();`
`885`	`888`	`console.log('📋 Auth headers:', authHeaders);`
`886`	`889`
`887`	`890`	`const response = await fetch(API_ENDPOINTS.UPLOAD, {`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,6 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {`
`28`	`28`	`.invalidateHttpSession(true)`
`29`	`29`	`.deleteCookies("JSESSIONID")`
`30`	`30`	`)`
`31`		`- .csrf(AbstractHttpConfigurer::disable)`
`32`	`31`	`.authorizeHttpRequests((authorizeHttpRequests) ->`
`33`	`32`	`authorizeHttpRequests`
`34`	`33`	`.requestMatchers("/**").permitAll().anyRequest().authenticated()`