IBX-833: As a Developer I want to configure CSRF validation in REST endpoints (#76)

adamwojs · web-flow · commit 6022a5155b9d · 2021-08-02T13:50:30.000+02:00
diff --git a/src/bundle/EventListener/CsrfListener.php b/src/bundle/EventListener/CsrfListener.php
@@ -104,6 +104,10 @@ public function onKernelRequest(RequestEvent $event)
             return;
         }
 
+        if (!$event->getRequest()->attributes->getBoolean('csrf_protection', true)) {
+            return;
+        }
+
         if (!$this->checkCsrfToken($event->getRequest())) {
             throw new UnauthorizedException(
                 'Missing or invalid CSRF token',
@@ -143,6 +147,8 @@ protected function isLoginRequest($route)
      * @param string $route
      *
      * @return bool
+     *
+     * @deprecated since Ibexa DXP 3.3.7. Add csrf_protection: false attribute to route definition instead.
      */
     protected function isSessionRoute($route)
     {
diff --git a/src/bundle/Resources/config/routing.yml b/src/bundle/Resources/config/routing.yml
@@ -1118,18 +1118,21 @@ ezpublish_rest_createSession:
     path: /user/sessions
     defaults:
         _controller: ezpublish_rest.controller.session:createSessionAction
+        csrf_protection: false
     methods: [POST]
 
 ezpublish_rest_deleteSession:
     path: /user/sessions/{sessionId}
     defaults:
         _controller: ezpublish_rest.controller.session:deleteSessionAction
+        csrf_protection: false
     methods: [DELETE]
 
 ezpublish_rest_refreshSession:
     path: /user/sessions/{sessionId}/refresh
     defaults:
         _controller: ezpublish_rest.controller.session:refreshSessionAction
+        csrf_protection: false
     methods: [POST]
 
 
diff --git a/tests/bundle/EventListener/CsrfListenerTest.php b/tests/bundle/EventListener/CsrfListenerTest.php
@@ -137,6 +137,15 @@ public static function provideSessionRoutes()
         ];
     }
 
+    public function testSkipCsrfProtection(): void
+    {
+        $this->enableCsrfProtection = false;
+        $this->csrfTokenHeaderValue = null;
+
+        $listener = $this->getEventListener();
+        $listener->onKernelRequest($this->getEvent());
+    }
+
     public function testNoHeader()
     {
         $this->expectException(UnauthorizedException::class);
diff --git a/tests/bundle/EventListener/EventListenerTest.php b/tests/bundle/EventListener/EventListenerTest.php
@@ -34,6 +34,8 @@ abstract class EventListenerTest extends TestCase
 
     protected $requestMethod = false;
 
+    protected $enableCsrfProtection = true;
+
     /**
      * @dataProvider provideExpectedSubscribedEventTypes
      */
@@ -87,6 +89,11 @@ protected function getRequestAttributesMock()
                 ->method('get')
                 ->with('is_rest_request')
                 ->willReturn($this->isRestRequest);
+
+            $this->requestAttributesMock
+                ->method('getBoolean')
+                ->with('csrf_protection', true)
+                ->willReturn($this->enableCsrfProtection);
         }
 
         return $this->requestAttributesMock;

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,10 @@ public function onKernelRequest(RequestEvent $event)`
`104`	`104`	`return;`
`105`	`105`	`}`
`106`	`106`
	`107`	`+ if (!$event->getRequest()->attributes->getBoolean('csrf_protection', true)) {`
	`108`	`+ return;`
	`109`	`+ }`
	`110`	`+`
`107`	`111`	`if (!$this->checkCsrfToken($event->getRequest())) {`
`108`	`112`	`throw new UnauthorizedException(`
`109`	`113`	`'Missing or invalid CSRF token',`
`@@ -143,6 +147,8 @@ protected function isLoginRequest($route)`
`143`	`147`	`* @param string $route`
`144`	`148`	`*`
`145`	`149`	`* @return bool`
	`150`	`+ *`
	`151`	`+ * @deprecated since Ibexa DXP 3.3.7. Add csrf_protection: false attribute to route definition instead.`
`146`	`152`	`*/`
`147`	`153`	`protected function isSessionRoute($route)`
`148`	`154`	`{`