Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: enable csrf token header#11283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 7 commits intomainfromstevenmasley/enable_csrf
Dec 19, 2023
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 14 additions & 9 deletionscoderd/httpmw/csrf.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -19,25 +19,23 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
}))

// Exempt all requests that do not require CSRF protection.
// All GET requests are exempt by default.
mw.ExemptPath("/api/v2/csp/reports")

// Top level agent routes.
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/[^/]*$"))
// Agent authenticated routes
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/me/*"))
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/*"))
// Workspace Proxy routes
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceproxies/me/*"))
// Derp routes
mw.ExemptRegexp(regexp.MustCompile("derp/*"))
// Scim
mw.ExemptRegexp(regexp.MustCompile("api/v2/scim/*"))
// Provisioner daemon routes
mw.ExemptRegexp(regexp.MustCompile("/organizations/[^/]+/provisionerdaemons/*"))

mw.ExemptFunc(func(r *http.Request) bool {
// Enable CSRF in November 2022 by deleting this "return true" line.
// CSRF is not enforced to ensure backwards compatibility with older
// cli versions.
//nolint:revive
return true

// CSRF only affects requests that automatically attach credentials via a cookie.
// If no cookie is present, then there is no risk of CSRF.
//nolint:govet
Expand All@@ -59,6 +57,13 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
return true
}

if r.Header.Get(codersdk.ProvisionerDaemonPSK) != "" {
// If present, the provisioner daemon also is providing an api key
// that will make them exempt from CSRF. But this is still useful
// for enumerating the external auths.
return true
}

// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.
// This is the CSRF check.
sent := r.Header.Get("X-CSRF-TOKEN")
Expand Down
12 changes: 12 additions & 0 deletionssite/vite.config.ts
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -38,6 +38,18 @@ export default defineConfig({
},
server: {
port: process.env.PORT ? Number(process.env.PORT) : 8080,
headers: {
// This header corresponds to "src/api/api.ts"'s hardcoded FE token.
// This is the secret side of the CSRF double cookie submit method.
// This should be sent on **every** response from the webserver.
//
// This is required because in production, the Golang webserver generates
// this "Set-Cookie" header. The Vite webserver needs to replicate this
// behavior. Instead of implementing CSRF though, we just use static
// values for simplicity.
"Set-Cookie":
"csrf_token=JXm9hOUdZctWt0ZZGAy9xiS/gxMKYOThdxjjMnMUyn4=; Path=/; HttpOnly; SameSite=Lax",
},
proxy: {
"/api": {
ws: true,
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp