Master csrf token incorrectly returned as page token

[musaka872]

Hi,
I'm trying to integrate csrfguard 4.3.0 in our project.
I've configured it to use per-session tokens and not per-page tokens. But when I receive the token in the response header it is returned as page token in this form {pageTokens:{"/page/uri":"csrf-token"}} and then when I send this token in a subsequent request csrfguard compares {pageTokens:{"/page/uri":"csrf-token"}} to "csrf-token" and it fails.
I debugged CsrfGuardFilter and in handleSession method we have:

private void handleSession(final HttpServletRequest httpServletRequest, final InterceptRedirectResponse interceptRedirectResponse, final FilterChain filterChain,
                               final LogicalSession logicalSession, final CsrfGuard csrfGuard) throws IOException, ServletException {

        final String logicalSessionKey = logicalSession.getKey();

        if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {
            filterChain.doFilter(httpServletRequest, interceptRedirectResponse);
        } else {
            logInvalidRequest(httpServletRequest);
        }

        final String requestURI = httpServletRequest.getRequestURI();
        final String generatedToken = csrfGuard.getTokenService().generateTokensIfAbsent(logicalSessionKey, httpServletRequest.getMethod(), requestURI);

        CsrfGuardUtils.addResponseTokenHeader(csrfGuard, httpServletRequest, interceptRedirectResponse, new TokenTO(Collections.singletonMap(requestURI, generatedToken)));
    }

In generateTokenIfAbsent it checks whether the per-page or master token should be generated and generates the correct master token. But then as you can see when TokenTO is created the master token is passed as per-page token and it is send as such in the response header.

Is this a bug or I'm missing something?

I don't want to parse the response header to retrieve the "csrf-token" that csrfguard returns.

Best regards,
Martin

[forgedhallpass]

Hello @musaka872,

You seem to be right, this indeed looks like a bug. I've created a ticket out of it.

Would you like to provide a PR with the fix?

[ddhagia]

Interesting, I am also facing a similar problem.
In log: response header csrf: {"pageTokens":{"/app_base/rest_v2/user_action/":"R2BX-QT2Z-YNXC-PWEQ-JEXE-TST4-C4HS-GEBE"}}
This is httpResponse.getHeader(CsrfGuard.getTokenName()) value

The difference is I have enabled tokenPerPage. @forgedhallpass is there any config changes required for tokenPerPage?
@musaka872 how do you enable token per session? I don't see any such config flag in csrfguard.properties file.