release icon indicating copy to clipboard operation
release copied to clipboard

Published 20 hours ago verified publisher icon alphagov

Raise exception on CSRF failure

Open chrisroos opened this issue 1 year ago • 4 comments

This was previously enabled in PR #1375 but then reverted in PR #1383 when it was discovered that enabling it had silently broken the ability for Release API clients to create deployment records because they don't (and shouldn't need to) send the CSRF token in the request.

I'm avoiding the problem seen in PR #1375 by skipping forgery protection if we detect a Bearer token in the Authorization HTTP Header. I'm doing this in the same way that GDS::SSO checks whether the gds_sso Warden strategy is valid or whether it needs to use the gds_bearer_token strategy instead so I'm fairly confident this is good enough to distinguish an API request from a browser request.

One of the two new controller tests should fail if we either:

  • remove the with: :exception option to protect_from_forgery
  • require the CSRF token when an API client authenticates using a Bearer token and creates a deployment

Note that I'm assuming that Deployments#create is the only API endpoint. If it turns out there are more API endpoints then we'll need to make the same change to those.

I was interested to learn that raising an exception is the default behaviour in new Rails apps but that we were overriding that default with our explicit call to protect_from_forgery without any arguments. Adding protect_from_forgery with: :exception is the same as removing protect_from_forgery entirely, although I think the former is more explicit.

chrisroos avatar Feb 07 '24 17:02 chrisroos

Hi @theseanything and @sengi. I spent some time looking into this after @theseanything suggested that we might need to make a change to gds-sso to handle the problem you were seeing. If I've understood the problem correctly then I think this PR demonstrates that we don't need to make a change to gds-sso but I'd appreciate getting your thoughts on it.

chrisroos avatar Feb 07 '24 17:02 chrisroos

@chrisroos @theseanything is this still needed or being worked on? Can we close it or make it a draft?

MuriloDalRi avatar Mar 27 '24 10:03 MuriloDalRi

@chrisroos @theseanything is this still needed or being worked on? Can we close it or make it a draft?

This issue still needs to be resolved, as I said this implementation is fine to fix the immediate problem. @chrisroos is no longer able to work on this.

theseanything avatar Mar 27 '24 12:03 theseanything

Created a Trello card for this and reverting to draft.

AgaDufrat avatar May 03 '24 08:05 AgaDufrat