Add CSRF Token to Builder #1050
Conversation
yeldarby
requested review from
PawelPeczek-Roboflow,
grzegorz-roboflow,
probicheaux,
hansent and
EmilyGavrilenko
as code owners
| SAFELISTED_HEADERS = {"Accept", "Accept-Language", "Content-Language", "Content-Type"} | ||
|
|
||
|
|
||
| class CORSMiddleware: |
There was a problem hiding this comment.
I'd try to avoid these big copy/pastes because you lose any improvement they do to original code.
You can just extend original behavior.
class OurCORSMiddleware(CORSMiddleware):
def __init__(
self,
app: ASGIApp,
allow_origins: typing.Sequence[str] = (),
allow_methods: typing.Sequence[str] = ("GET",),
allow_headers: typing.Sequence[str] = (),
allow_credentials: bool = False,
allow_origin_regex: str | None = None,
expose_headers: typing.Sequence[str] = (),
max_age: int = 600,
match_paths: str | None = None,
):
super().__init__(
app,
allow_origins=allow_origins,
allow_methods=allow_methods,
allow_headers=allow_headers,
allow_credentials=allow_credentials,
allow_origin_regex=allow_origin_regex,
expose_headers=expose_headers,
max_age=max_age,
)
self.match_paths_regex = re.compile(match_paths) if match_paths else None
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
# If match_paths is provided and does not match, just skip to the next handler:
if self.match_paths_regex is not None:
path = scope.get("path", "")
if not self.match_paths_regex.match(path):
await self.app(scope, receive, send)
return
return super().__call_(scope, receive, send)There was a problem hiding this comment.
Good idea; will update.
| # ---------------------------------------------------------------- | ||
| # Generate or read the "csrf" token from disk once per server run | ||
| # ---------------------------------------------------------------- | ||
| csrf_file = workflow_local_dir / ".csrf" |
There was a problem hiding this comment.
CSRF here is defined per server. It doesn't work in a distributed environment (like hosted api?).
Not sure if it will be used there or if it is only for users running their own server.
There was a problem hiding this comment.
This is only for the self-hosted builder running in Detached mode. For cloud connected mode it’ll be connected to and authed with your Roboflow account.
| # ---------------------------------------------------------------- | ||
| # Dependency to verify the X-CSRF header on any protected route | ||
| # ---------------------------------------------------------------- | ||
| def verify_csrf_token(x_csrf: str = Header(None)): |
There was a problem hiding this comment.
CSRF tokens should be per session, not per server.
In general, implementations generate a token based on a shared seed instead of using only one value, save this value to cookie and then send the value as cookie and as param.
FastAPI has a good CSRF third-party implementation, we can use it as is or as inspiration.
There was a problem hiding this comment.
Makes sense when there is an auth mechanism and different users may see different things. But what benefit does that add here where there is no auth/session/user account?
Description
This passes through a CSRF token to the frontend iframe that it passes back when accessing the API. This will prevent random websites from performing destructive actions on the local server (since they won't know the CSRF token). It also prevents clickjacking attacks because the iframe won't be able to do anything unless is has access to a valid CSRF token (which an attacker won't know so won't be able to iframe the UI in a maliciously constructed page).
Type of change
How has this change been tested, please provide a testcase or example of how you tested the change?
Locally & via staging. Only affects the new
/buildloginless UI.Any specific deployment considerations
Won't actually work against prod until the frontend ships via the companion PR open on the core app repo.
Docs
/buildroute.