csrf tokens; retries with exponential backoff for specific requests

HardMax71 · HardMax71 · commit 7421d1115d06 · 2025-07-06T19:22:12.000+02:00
diff --git a/backend/app/api/routes/auth.py b/backend/app/api/routes/auth.py
@@ -91,7 +91,11 @@ async def login(
         path="/",
     )
 
-    return {"message": "Login successful", "username": user.username}
+    # Generate CSRF token for the session
+    session_id = security_service.get_session_id_from_request(request)
+    csrf_token = security_service.generate_csrf_token(session_id)
+    
+    return {"message": "Login successful", "username": user.username, "csrf_token": csrf_token}
 
 
 @router.post("/register", response_model=UserResponse)
@@ -176,7 +180,11 @@ async def verify_token(
                 "user_agent": request.headers.get("user-agent"),
             },
         )
-        return {"valid": True, "username": current_user.username}
+        # Generate fresh CSRF token for authenticated session
+        session_id = security_service.get_session_id_from_request(request)
+        csrf_token = security_service.generate_csrf_token(session_id)
+        
+        return {"valid": True, "username": current_user.username, "csrf_token": csrf_token}
 
     except Exception as e:
         logger.error(
diff --git a/backend/app/api/routes/execution.py b/backend/app/api/routes/execution.py
@@ -1,6 +1,7 @@
 from app.core.exceptions import IntegrationException
 from app.core.logging import logger
 from app.core.metrics import ACTIVE_EXECUTIONS, EXECUTION_DURATION, SCRIPT_EXECUTIONS
+from app.core.security import validate_csrf_token
 from app.schemas.execution import (
     ExampleScripts,
     ExecutionRequest,
diff --git a/backend/app/api/routes/saved_scripts.py b/backend/app/api/routes/saved_scripts.py
@@ -1,7 +1,7 @@
 from typing import List
 
 from app.core.logging import logger
-from app.core.security import security_service
+from app.core.security import security_service, validate_csrf_token
 from app.schemas.saved_script import SavedScriptCreateRequest, SavedScriptResponse, SavedScriptUpdate
 from app.schemas.user import UserInDB
 from app.services.saved_script_service import (
@@ -49,6 +49,7 @@ async def create_saved_script(
         saved_script: SavedScriptCreateRequest,
         current_user: UserInDB = Depends(security_service.get_current_user),
         saved_script_service: SavedScriptService = Depends(get_saved_script_service),
+        csrf_token: str = Depends(validate_csrf_token),
 ) -> SavedScriptResponse:
     logger.info(
         "Creating new saved script",
@@ -158,6 +159,7 @@ async def update_saved_script(
         script_in_db: SavedScriptResponse = Depends(get_script_or_404),
         current_user: UserInDB = Depends(get_validated_user),
         saved_script_service: SavedScriptService = Depends(get_saved_script_service),
+        csrf_token: str = Depends(validate_csrf_token),
 ) -> SavedScriptResponse:
     logger.info(
         "Updating saved script",
@@ -210,6 +212,7 @@ async def delete_saved_script(
         script_in_db: SavedScriptResponse = Depends(get_script_or_404),
         current_user: UserInDB = Depends(get_validated_user),
         saved_script_service: SavedScriptService = Depends(get_saved_script_service),
+        csrf_token: str = Depends(validate_csrf_token),
 ) -> None:
     logger.info(
         "Deleting saved script",
diff --git a/backend/app/core/security.py b/backend/app/core/security.py
@@ -8,6 +8,7 @@
 from fastapi import Depends, HTTPException, Request, status
 from fastapi.security import OAuth2PasswordBearer
 from passlib.context import CryptContext
+from itsdangerous import URLSafeTimedSerializer, BadSignature, SignatureExpired
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/login")
 
@@ -27,6 +28,10 @@ class SecurityService:
     def __init__(self) -> None:
         self.pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
         self.settings = get_settings()
+        self.csrf_serializer = URLSafeTimedSerializer(
+            secret_key=self.settings.SECRET_KEY,
+            salt="csrf-token"
+        )
 
     def verify_password(self, plain_password: str, hashed_password: str) -> bool:
         return self.pwd_context.verify(plain_password, hashed_password)  # type: ignore
@@ -72,5 +77,71 @@ async def get_current_user(
             raise credentials_exception
         return user
 
+    def generate_csrf_token(self, session_id: str) -> str:
+        """Generate a CSRF token for the given session"""
+        data = {
+            "session_id": session_id,
+            "timestamp": datetime.utcnow().isoformat()
+        }
+        return self.csrf_serializer.dumps(data)
+
+    def validate_csrf_token(self, token: str, session_id: str) -> bool:
+        """Validate a CSRF token"""
+        try:
+            data = self.csrf_serializer.loads(token, max_age=3600)  # 1 hour
+            return data.get("session_id") == session_id
+        except (BadSignature, SignatureExpired):
+            return False
+
+    def get_session_id_from_request(self, request: Request) -> str:
+        """Get session ID from request (using access token as session identifier)"""
+        token = request.cookies.get("access_token")
+        if token:
+            return token[:32]  # Use first 32 chars as session ID
+        
+        # Fallback to client fingerprint
+        client_ip = request.client.host if request.client else "unknown"
+        user_agent = request.headers.get("user-agent", "unknown")
+        return f"{client_ip}:{user_agent}"[:32]
+
 
 security_service = SecurityService()
+
+
+def validate_csrf_token(request: Request) -> str:
+    """FastAPI dependency to validate CSRF token"""
+    # Skip CSRF validation for safe methods
+    if request.method in ["GET", "HEAD", "OPTIONS"]:
+        return "skip"
+    
+    # Skip CSRF validation for auth endpoints
+    if request.url.path in ["/api/v1/login", "/api/v1/register", "/api/v1/logout"]:
+        return "skip"
+    
+    # Skip CSRF validation for non-API endpoints
+    if not request.url.path.startswith("/api/"):
+        return "skip"
+    
+    # Check if user is authenticated first (has access_token cookie)
+    access_token = request.cookies.get("access_token")
+    if not access_token:
+        # If not authenticated, skip CSRF validation (auth will be handled by other dependencies)
+        return "skip"
+    
+    # Get CSRF token from request
+    csrf_token = request.headers.get("X-CSRF-Token")
+    if not csrf_token:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="CSRF token missing"
+        )
+    
+    # Validate CSRF token
+    session_id = security_service.get_session_id_from_request(request)
+    if not security_service.validate_csrf_token(csrf_token, session_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="CSRF token invalid"
+        )
+    
+    return csrf_token
diff --git a/backend/app/main.py b/backend/app/main.py
@@ -112,6 +112,7 @@ def create_app() -> FastAPI:
             "Accept",
             "Origin",
             "X-Requested-With",
+            "X-CSRF-Token",
         ],
         expose_headers=["Content-Length", "Content-Range"],
     )
diff --git a/frontend/package.json b/frontend/package.json
@@ -29,6 +29,7 @@
     "autoprefixer": "^10.4.20",
     "axios": "^1.7.7",
     "codemirror": "^6.0.1",
+    "exponential-backoff": "^3.1.2",
     "dotenv": "^16.4.5",
     "postcss": "^8.4.47",
     "rollup": "^3.15.0",
diff --git a/frontend/src/lib/api.js b/frontend/src/lib/api.js
@@ -0,0 +1,123 @@
+import { backOff } from 'exponential-backoff';
+import { get } from 'svelte/store';
+import { csrfToken } from '../stores/auth.js';
+
+/**
+ * Check if an error should trigger a retry
+ */
+function shouldRetry(error) {
+    // Network errors
+    if (error.name === 'TypeError' && error.message.includes('fetch')) {
+        return true;
+    }
+    
+    // If it's a Response object, check status codes
+    if (error instanceof Response) {
+        const status = error.status;
+        return status >= 500 || status === 408 || status === 429;
+    }
+    
+    return false;
+}
+
+/**
+ * Fetch with retry logic using exponential-backoff
+ * @param {string} url - The URL to fetch
+ * @param {Object} options - Fetch options
+ * @param {Object} retryOptions - Retry configuration
+ * @returns {Promise<Response>} - The fetch response
+ */
+export async function fetchWithRetry(url, options = {}, retryOptions = {}) {
+    const {
+        numOfAttempts = 3,
+        maxDelay = 10000,
+        jitter = 'none',
+        ...otherRetryOptions
+    } = retryOptions;
+
+    return backOff(
+        async () => {
+            const response = await fetch(url, {
+                credentials: 'include',
+                ...options
+            });
+            
+            // For retryable errors, throw to trigger retry logic
+            if (!response.ok && shouldRetry(response)) {
+                const error = new Error(`HTTP ${response.status}: ${response.statusText}`);
+                error.response = response;
+                throw error;
+            }
+            
+            return response;
+        },
+        {
+            numOfAttempts,
+            maxDelay,
+            jitter,
+            retry: (error) => shouldRetry(error) || shouldRetry(error.response),
+            ...otherRetryOptions
+        }
+    );
+}
+
+/**
+ * Make an authenticated request with CSRF token and retry logic
+ * @param {string} url - The URL to request
+ * @param {Object} options - Request options
+ * @param {Object} retryOptions - Retry configuration
+ * @returns {Promise<Response>} - The response
+ */
+export async function makeAuthenticatedRequest(url, options = {}, retryOptions = {}) {
+    return fetchWithRetry(url, {
+        ...options,
+        headers: {
+            ...options.headers,
+            ...addCSRFTokenToHeaders(options.method)
+        }
+    }, retryOptions);
+}
+
+/**
+ * Add CSRF token to headers if needed
+ * @param {string} method - HTTP method
+ * @returns {Object} - Headers object with CSRF token if applicable
+ */
+function addCSRFTokenToHeaders(method) {
+    const headers = {};
+    
+    // Add CSRF token for state-changing requests
+    if (method && !['GET', 'HEAD', 'OPTIONS'].includes(method.toUpperCase())) {
+        const token = get(csrfToken);
+        if (token) {
+            headers['X-CSRF-Token'] = token;
+        }
+    }
+    
+    return headers;
+}
+
+/**
+ * Generic API call helper with retry logic
+ * @param {string} url - The URL to request
+ * @param {Object} options - Request options
+ * @param {Object} retryOptions - Retry configuration
+ * @returns {Promise<any>} - Parsed JSON response
+ */
+export async function apiCall(url, options = {}, retryOptions = {}) {
+    const response = await makeAuthenticatedRequest(url, options, retryOptions);
+    
+    if (!response.ok) {
+        const error = new Error(`HTTP ${response.status}: ${response.statusText}`);
+        error.response = response;
+        throw error;
+    }
+    
+    // Only parse JSON if response has content
+    const contentType = response.headers.get('content-type');
+    if (contentType && contentType.includes('application/json')) {
+        return response.json();
+    }
+    
+    return response;
+}
diff --git a/frontend/src/routes/Editor.svelte b/frontend/src/routes/Editor.svelte
diff --git a/frontend/src/stores/auth.js b/frontend/src/stores/auth.js

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,7 @@ def create_app() -> FastAPI:`
`112`	`112`	`"Accept",`
`113`	`113`	`"Origin",`
`114`	`114`	`"X-Requested-With",`
	`115`	`+ "X-CSRF-Token",`
`115`	`116`	`],`
`116`	`117`	`expose_headers=["Content-Length", "Content-Range"],`
`117`	`118`	`)`