fix(csrf): allow to set trusted origins (#4347)

erka · web-flow · commit 5a0338c4cf66 · 2025-06-12T14:35:45.000Z
diff --git a/config/flipt.schema.cue b/config/flipt.schema.cue
@@ -43,6 +43,7 @@ import "list"
 			csrf?: {
 				key: string
 				secure?:        bool
+				trusted_origins?: [...] | string | *[]
 			}
 		}
 
diff --git a/config/flipt.schema.json b/config/flipt.schema.json
@@ -85,7 +85,11 @@
               "type": "object",
               "properties": {
                 "key": { "type": "string" },
-                "secure": { "type": "boolean" }
+                "secure": { "type": "boolean" },
+                "trusted_origins": {
+                  "type": ["array", "null"],
+                  "default": []
+                }
               },
               "required": []
             }
diff --git a/internal/cmd/http.go b/internal/cmd/http.go
@@ -180,7 +180,12 @@ func NewHTTPServer(
 					handler.ServeHTTP(w, r)
 				})
 			})
-			r.Use(csrf.Protect([]byte(key), csrf.Path("/"), csrf.Secure(cfg.Authentication.Session.CSRF.Secure)))
+			r.Use(csrf.Protect(
+				[]byte(key),
+				csrf.Path("/"),
+				csrf.Secure(cfg.Authentication.Session.CSRF.Secure),
+				csrf.TrustedOrigins(cfg.Authentication.Session.CSRF.TrustedOrigins),
+			))
 		}
 
 		r.Mount("/api/v1", api)
diff --git a/internal/config/authentication.go b/internal/config/authentication.go
@@ -246,6 +246,8 @@ type AuthenticationSessionCSRF struct {
 	Key string `json:"-" mapstructure:"key"`
 	// Secure signals to the CSRF middleware that the request is being served over TLS or plaintext HTTP
 	Secure bool `json:"secure,omitempty" mapstructure:"secure" yaml:"secure,omitempty"`
+	// TrustedOrigins is a list of trusted origins that are allowed to send requests
+	TrustedOrigins []string `json:"trustedOrigins,omitempty" mapstructure:"trusted_origins" yaml:"trusted_origins,omitempty"`
 }
 
 // AuthenticationMethods is a set of configuration for each authentication

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ import "list"`
`43`	`43`	`csrf?: {`
`44`	`44`	`key: string`
`45`	`45`	`secure?: bool`
	`46`	`+ trusted_origins?: [...] \| string \| *[]`
`46`	`47`	`}`
`47`	`48`	`}`
`48`	`49`
Original file line number	Diff line number	Diff line change
`@@ -246,6 +246,8 @@ type AuthenticationSessionCSRF struct {`
`246`	`246`	Key string `json:"-" mapstructure:"key"`
`247`	`247`	`// Secure signals to the CSRF middleware that the request is being served over TLS or plaintext HTTP`
`248`	`248`	Secure bool `json:"secure,omitempty" mapstructure:"secure" yaml:"secure,omitempty"`
	`249`	`+ // TrustedOrigins is a list of trusted origins that are allowed to send requests`
	`250`	+ TrustedOrigins []string `json:"trustedOrigins,omitempty" mapstructure:"trusted_origins" yaml:"trusted_origins,omitempty"`
`249`	`251`	`}`
`250`	`252`
`251`	`253`	`// AuthenticationMethods is a set of configuration for each authentication`