Ãenable CSRF support for swagger-ui. Fixes #776

Author: bnasslahsen

springdoc-openapi-common/src/main/java/org/springdoc/core/Constants.java

@@ -70,7 +70,6 @@ public final class Constants {
 	 */
 	public static final String SPRINGDOC_ENABLED = "springdoc.api-docs.enabled";
 
-
 	/**
 	 * The constant SPRINGDOC_DEPRECATING_CONVERTER_ENABLED.
 	 */
@@ -256,6 +255,16 @@ public final class Constants {
 	 */
 	public static final String SWAGGER_UI_DEFAULT_URL = "https://petstore.swagger.io/v2/swagger.json";
 
+	/**
+	 * The constant CSRF_DEFAULT_COOKIE_NAME.
+	 */
+	public static final String CSRF_DEFAULT_COOKIE_NAME= "XSRF-TOKEN";
+
+	/**
+	 * The constant CSRF_DEFAULT_HEADER_NAME.
+	 */
+	public static final String CSRF_DEFAULT_HEADER_NAME= "X-XSRF-TOKEN";
+
 	/**
 	 * Instantiates a new Constants.
 	 */

springdoc-openapi-common/src/main/java/org/springdoc/core/SwaggerUiConfigProperties.java

@@ -53,6 +53,87 @@ public class SwaggerUiConfigProperties extends AbstractSwaggerUiConfigProperties
 	 */
 	private boolean displayQueryParamsWithoutOauth2;
 
+	/**
+	 * The Csrf configuration.
+	 */
+	private Csrf csrf = new Csrf();
+
+
+	/**
+	 * The type Csrf.
+	 */
+	public static class Csrf {
+
+		/**
+		 * The Enabled.
+		 */
+		private boolean enabled;
+
+		/**
+		 * The Cookie name.
+		 */
+		private String cookieName = Constants.CSRF_DEFAULT_COOKIE_NAME;
+
+		/**
+		 * The Header name.
+		 */
+		private String headerName = Constants.CSRF_DEFAULT_HEADER_NAME;
+
+		/**
+		 * Is enabled boolean.
+		 *
+		 * @return the boolean
+		 */
+		public boolean isEnabled() {
+			return enabled;
+		}
+
+		/**
+		 * Sets enabled.
+		 *
+		 * @param enabled the enabled
+		 */
+		public void setEnabled(boolean enabled) {
+			this.enabled = enabled;
+		}
+
+		/**
+		 * Gets cookie name.
+		 *
+		 * @return the cookie name
+		 */
+		public String getCookieName() {
+			return cookieName;
+		}
+
+		/**
+		 * Sets cookie name.
+		 *
+		 * @param cookieName the cookie name
+		 */
+		public void setCookieName(String cookieName) {
+			this.cookieName = cookieName;
+		}
+
+		/**
+		 * Gets header name.
+		 *
+		 * @return the header name
+		 */
+		public String getHeaderName() {
+			return headerName;
+		}
+
+		/**
+		 * Sets header name.
+		 *
+		 * @param headerName the header name
+		 */
+		public void setHeaderName(String headerName) {
+			this.headerName = headerName;
+		}
+	}
+
 	/**
 	 * Is disable swagger default url boolean.
 	 *
@@ -107,4 +188,31 @@ public void setDisplayQueryParamsWithoutOauth2(boolean displayQueryParamsWithout
 		this.displayQueryParamsWithoutOauth2 = displayQueryParamsWithoutOauth2;
 	}
 
+	/**
+	 * Gets csrf.
+	 *
+	 * @return the csrf
+	 */
+	public Csrf getCsrf() {
+		return csrf;
+	}
+
+	/**
+	 * Sets csrf.
+	 *
+	 * @param csrf the csrf
+	 */
+	public void setCsrf(Csrf csrf) {
+		this.csrf = csrf;
+	}
+
+	/**
+	 * Is csrf enabled boolean.
+	 *
+	 * @return the boolean
+	 */
+	public boolean isCsrfEnabled(){
+		return csrf.isEnabled();
+	};
+
 }

springdoc-openapi-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java

@@ -119,7 +119,7 @@ protected String overwriteSwaggerDefaultUrl(String html) {
 	 */
 	protected boolean hasDefaultTransformations() {
 		boolean oauth2Configured = !CollectionUtils.isEmpty(swaggerUiOAuthProperties.getConfigParameters());
-		return oauth2Configured || swaggerUiConfig.isDisableSwaggerDefaultUrl();
+		return oauth2Configured || swaggerUiConfig.isDisableSwaggerDefaultUrl() || swaggerUiConfig.isCsrfEnabled();
 	}
 
 	/**
@@ -137,7 +137,27 @@ protected String defaultTransformations(InputStream inputStream) throws IOExcept
 		if (swaggerUiConfig.isDisableSwaggerDefaultUrl()) {
 			html = overwriteSwaggerDefaultUrl(html);
 		}
-
+		if (swaggerUiConfig.isCsrfEnabled()) {
+			html = addCSRF(html);
+		}
 		return html;
 	}
+
+	protected String addCSRF(String html) throws JsonProcessingException {
+		StringBuilder stringBuilder = new StringBuilder();
+		stringBuilder.append("requestInterceptor: function() {\n");
+		stringBuilder.append("const value = `; ${document.cookie}`;\n");
+		stringBuilder.append("const parts = value.split(`; ");
+		stringBuilder.append(swaggerUiConfig.getCsrf().getCookieName());
+		stringBuilder.append("=`);\n");
+		stringBuilder.append("console.log(parts);\n");
+		stringBuilder.append("if (parts.length === 2)\n");
+		stringBuilder.append("this.headers['");
+		stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
+		stringBuilder.append("'] = parts.pop().split(';').shift();\n");
+		stringBuilder.append("return this;\n");
+		stringBuilder.append("},\n");
+		stringBuilder.append("presets: [");
+		return html.replace("presets: [", stringBuilder.toString());
+	}
 }

springdoc-openapi-ui/build.gradle

@@ -6,4 +6,5 @@ dependencies {
     api 'org.webjars:webjars-locator-core'
     compileOnly 'jakarta.servlet:jakarta.servlet-api'
 	testRuntimeOnly  'jakarta.servlet:jakarta.servlet-api'
+	testImplementation 'org.springframework.boot:spring-boot-starter-security'
 }

springdoc-openapi-ui/src/test/java/test/org/springdoc/ui/app11/ExampleController.java

@@ -0,0 +1,20 @@
+package test.org.springdoc.ui.app11;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class ExampleController {
+
+    @PostMapping("/post")
+    public ResponseEntity<String> postExample() {
+        return ResponseEntity.ok("Successful post");
+    }
+
+    @GetMapping("/get")
+    public ResponseEntity<String> getExample() {
+        return ResponseEntity.ok("Successful get");
+    }
+}

springdoc-openapi-ui/src/test/java/test/org/springdoc/ui/app11/SpringDocCSRFTest.java

@@ -0,0 +1,53 @@
+/*
+ *
+ *  * Copyright 2019-2020 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      https://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package test.org.springdoc.ui.app11;
+
+import javax.servlet.http.Cookie;
+
+import org.junit.jupiter.api.Test;
+import test.org.springdoc.ui.AbstractSpringDocTest;
+
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.web.servlet.MvcResult;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@TestPropertySource(properties = {
+		"springdoc.swagger-ui.csrf.enabled=true",
+		"springdoc.swagger-ui.csrf.cookie-name=XSRF-TOKEN",
+		"springdoc.swagger-ui.csrf.header-name=X-XSRF-TOKEN"
+})
+public class SpringDocCSRFTest extends AbstractSpringDocTest {
+
+	@Test
+	public void testApp() throws Exception {
+		MvcResult mvcResult = mockMvc.perform(get("/swagger-ui.html"))
+				.andExpect(status().isFound()).andReturn();
+		Cookie cookie = mvcResult.getResponse().getCookie("XSRF-TOKEN");
+		mockMvc.perform(post("/post").header("X-XSRF-TOKEN", cookie.getValue()).cookie(cookie))
+				.andExpect(status().isOk());
+	}
+
+	@SpringBootApplication
+	static class SpringDocTestApp {}
+
+}

springdoc-openapi-ui/src/test/java/test/org/springdoc/ui/app11/WebSecurityConf.java

@@ -0,0 +1,18 @@
+package test.org.springdoc.ui.app11;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+@EnableWebSecurity
+public class WebSecurityConf extends WebSecurityConfigurerAdapter {
+
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		http
+				.csrf()
+				.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+	}
+
+}

springdoc-openapi-ui/src/test/resources/application-test.yml

@@ -1 +1,5 @@
-spring.main.banner-mode: "off"
+spring:
+  main:
+    banner-mode: "off"
+  autoconfigure:
+    exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration