vertx-web icon indicating copy to clipboard operation
vertx-web copied to clipboard

Published 20 hours ago verified publisher icon vert-x3

Can't easily detect CSRF validation error in failure handler in Vert.x 4.1.1

Open haizz opened this issue 4 years ago • 3 comments

#1258 and #1264 provided a way to find out if there was a CSRF validation error by comparing failure error message to CSRFHandler's ERROR_MESSAGE constant.

This is broken in Vert.x 4.1.1 because CSRFHandlerImpl now fails with common Java exceptions like IllegalArgumentException with hard-coded strings:

ctx.fail(403, new IllegalArgumentException("CSRF validity expired"));

On the other hand, setResponseBody method of CSRFHandler was removed in 4.x so the only way to provide a custom response body on CSRF errors is to compare hard-coded strings of failure exception messages or to dig into exception's stack trace which is extremely fragile and error-prone. Would be great to have some base exception like CSRFValidationException for CSRF errors to easily detect them in failure handler and not to depend on string comparison and other black magic.

haizz avatar Jul 14 '21 15:07 haizz

@haizz you can add an error handler right after the CSRF in the same route and catch the error by it's code:

    router.route()
      .handler(CSRFHandler.create(vertx, "abracadabra"))
      .handler(ctx -> {
        // your code here...
      })
      .failureHandler(ctx -> {
         // here you can inspect ctx.failure() for the exception
      });

pmlopes avatar Jul 19 '21 12:07 pmlopes

@tsegismont @vietj Can I take this one?

muhammad-abubakar avatar Jan 30 '22 21:01 muhammad-abubakar

Sure

tsegismont avatar Jan 31 '22 09:01 tsegismont