chore: add csrf token handling #289
Conversation
e2e/scenario/fixture/api.spec.js
Outdated
| }).then(function () { | ||
| request.authenticate(new CsrfAuthenticator({ | ||
| csrfFetchUrl: restServiceMockUrl + '/form' | ||
| })).then(function () { | ||
| request.post(restServiceMockUrl + '/form').send({ |
There was a problem hiding this comment.
subsequent calls should be scheduled on the flow, no need to calling in promise resolve callback
e2e/scenario/fixture/api.spec.js
Outdated
| request.post(restServiceMockUrl + '/form').send({ | ||
| field: 'value' | ||
| }).do().then(function (res) { | ||
| expect(res.status).toBe(200); | ||
| }).catch(function (err) { | ||
| }).catch(function () { |
There was a problem hiding this comment.
unhandled promise rejection will fail the test, no need for explicit assertion
|
|
||
| var CSRF_HEADER = 'x-csrf-token'; | ||
|
|
||
| function CsrfAuthenticator(options){ |
There was a problem hiding this comment.
I am also fine with declarative setup like request.authenticate({crsf: {user,pass,url})
There was a problem hiding this comment.
there is no user or pass that could be associated with csrf
There was a problem hiding this comment.
There is for sure, the call for getting the crsf token should be authenticated, see the reference impl: https://github.wdf.sap.corp/I533952/uiveri5_iscoper/blob/9f08dcbbf05b692184aa619266ea1b3904ad8e61/iscoperPlugin.js#L43
There was a problem hiding this comment.
thanks for this link but as you know I've had it for 2 months and looked at it every day since.
please read a bit more about csrf, bearer tokens and relaystate param (as it also came up) and that they are not the same e.g.
https://owasp.org/www-community/attacks/csrf
https://portswigger.net/web-security/csrf/tokens
https://portswigger.net/web-security/csrf
https://blogs.sap.com/2019/02/19/what-is-relaystate-in-saml-and-how-to-configure-relaystate-on-as-abap/
https://stackoverflow.com/questions/25838183/what-is-the-oauth-2-0-bearer-token-exactly/25843058
if you want to add support for authentication, it would be a separate topic. besides, user:auth in the url is accepted https://visionmedia.github.io/superagent/#authentication
|
|
||
| module.exports = function() { | ||
| var app = express(); | ||
| // will also use a _csrf cookie (secret) and validate against it | ||
| var csrfProtection = csrf({ |
There was a problem hiding this comment.
good idea to use standard module
There was a problem hiding this comment.
what is the standard module?
No description provided.