NFC-47 Review findings. Improve csrf logic.

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -50,13 +50,12 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthentica
         var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
 
         return http
-            .csrf(csrf -> csrf.ignoringRequestMatchers("/auth/login", "/auth/mobile/auth/init"))
             .authorizeHttpRequests(auth -> auth
                 .requestMatchers("/", "/error").permitAll()
                 .requestMatchers(HttpMethod.GET, "/auth/eid/login").permitAll()
                 .requestMatchers("/auth/challenge").permitAll()
                 .requestMatchers(HttpMethod.POST, "/auth/mobile/auth/init").permitAll()
-                .requestMatchers("/favicon.ico", "/css/**", "/files/**", "/img/**", "/js/**", "/webjars/**").permitAll()
+                .requestMatchers("/favicon.ico", "/css/**", "/files/**", "/img/**", "/js/**").permitAll()
                 .anyRequest().authenticated()
             )
             .authenticationProvider(authTokenDTOAuthenticationProvider)

example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java

@@ -4,74 +4,78 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.http.HttpMethod;
+import org.springframework.lang.NonNull;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
-import java.nio.charset.StandardCharsets;
 
 public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter {
 
-    private final RequestMatcher requestMatcher = new AntPathRequestMatcher("/auth/eid/login", "GET");
+    private final RequestMatcher requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/auth/eid/login");
     private static final String LOGIN_PAGE_HTML = """
-    <!doctype html>
-    <html lang="en">
-    <head>
-      <meta charset="utf-8">
-      <meta name="viewport" content="width=device-width, initial-scale=1">
-      <title>Signing you in…</title>
-      <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self';">
-    </head>
-    <body>
-    <script>
-      (function () {
-        const frag = location.hash ? location.hash.substring(1) : "";
-        if (!frag) { location.replace("/?mobileAuthError=missing_payload"); return; }
+            <!doctype html>
+            <html lang="en">
+            <head>
+              <meta charset="utf-8">
+              <title>Signing you in…</title>
+              <meta id="csrftoken" content="%s"/>
+              <meta id="csrfheadername" content="%s"/>
+            </head>
+            <body>
+            <script>
+            (function () {
+              const frag = location.hash ? location.hash.substring(1) : "";
+              if (!frag) { location.replace("/?mobileAuthError=missing_payload"); return; }
 
-        let payload;
-        try { payload = JSON.parse(atob(frag)); } catch (e) {
-          location.replace("/?mobileAuthError=bad_payload"); return;
-        }
+              let payload;
+              try { payload = JSON.parse(atob(frag)); } catch (e) {
+                location.replace("/?mobileAuthError=bad_payload"); return;
+              }
 
-        const authToken = payload["auth-token"] ?? payload;
+              const csrfToken = document.querySelector('#csrftoken').content;
+              const csrfHeaderName = document.querySelector('#csrfheadername').content;
 
-        fetch("/auth/login", {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ "auth-token": authToken })
-        })
-        .then(r => {
-          if (!r.ok) throw new Error("HTTP " + r.status);
-          location.replace("/welcome");
-        })
-        .catch(() => location.replace("/?mobileAuthError=login_failed"));
-      })();
-    </script>
-    Signing you in…
-    </body>
-    </html>
-    """;
+              const authToken = payload["auth-token"] ?? payload;
 
-    @Override
-    protected void doFilterInternal(HttpServletRequest request,
-                                    HttpServletResponse response,
-                                    FilterChain filterChain)
-        throws ServletException, IOException {
+              fetch("/auth/login", {
+                method: "POST",
+                headers: { "Content-Type": "application/json", [csrfHeaderName]: csrfToken },
+                body: JSON.stringify({ "auth-token": authToken }),
+                credentials: "include"
+              })
+              .then(r => { if (!r.ok) throw new Error("HTTP " + r.status); location.replace("/welcome"); })
+              .catch(() => location.replace("/?mobileAuthError=login_failed"));
+            })();
+            </script>
+            Signing you in…
+            </body>
+            </html>
+            """;
 
-        if (!this.requestMatcher.matches(request)) {
-            filterChain.doFilter(request, response);
+    @Override
+    protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain chain) throws IOException, ServletException {
+        if (!requestMatcher.matches(request)) {
+            chain.doFilter(request, response);
             return;
         }
 
-        String html = generateHtml();
-        byte[] bytes = html.getBytes(StandardCharsets.UTF_8);
+        var csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute(org.springframework.security.web.csrf.CsrfToken.class.getName());
+        if (csrf == null) {
+            csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute("_csrf");
+        }
+        String token = csrf != null ? csrf.getToken() : "";
+        String header = csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN";
+
+        String html = generateHtml(token, header);
         response.setContentType("text/html;charset=UTF-8");
-        response.setContentLength(bytes.length);
-        response.getOutputStream().write(bytes);
+        response.getWriter().write(html);
     }
 
-    private String generateHtml() {
-        return LOGIN_PAGE_HTML;
+
+    private String generateHtml(String csrfToken, String csrfHeaderName) {
+        return String.format(LOGIN_PAGE_HTML, csrfToken, csrfHeaderName);
     }
 }

example/src/main/resources/templates/index.html

@@ -267,7 +267,11 @@ <h3><a id="for-developers"></a>For developers</h3>
             if (isMobileDevice()) {
                 const resp = await fetch("/auth/mobile/auth/init", {
                     method: "POST",
-                    headers: { "Content-Type": "application/json" },
+                    headers: {
+                        "Content-Type": "application/json",
+                        [csrfHeaderName]: csrfToken,
+                    },
+                    credentials: "include"
             });
             await checkHttpError(resp);
             const { eidAuthUri } = await resp.json();