apostrophe-headless
apostrophe-headless copied to clipboard
apostrophecms
Enable CSRF exceptions for headless routes
Hi, my colleague @ecb34 and me have noticed that adding a headless route as a CSRF exception was not working, and we have though about this aproach to solve it.
Hi, are you using the latest version of apostrophe 2.x with this? It looks to me like the existing csrf middleware should have no problem matching these exceptions. Also look at self.csrf = in the apostrophe-express module for the logic that checks the exceptions, they are minimatch patterns. But that should already be working.
We are using the 2.113.3 version,
I think you are referring to this function, but the routes in the exceptions are for anonymous users and doesn´t have a bearer token/api key so the CSRF protection middleware is called
GET requests never encounter the CSRF middleware. Are you allowing anonymous users to POST? Yes, that would require creating exceptions. Have you tried to cover them with the standard option for configuring individual CSRF exceptions?
Yes, creating individual exceptions for some POST routes was the way that we expected to work, but it doesn't work unless we add the extra behavior that we have added in this PR.
These are already checked in middleware, that should be sufficient. So it
would make more sense to focus on why the existing self.csrf method of
apostrophe-express is not accepting these URLs. Is it being invoked for
these URLs?
On Mon, Mar 1, 2021 at 9:12 AM Jose96GIT [email protected] wrote:
Yes, creating individual exceptions for some POST routes was the way that we expected to work, but it doesn't work unless we add the extra behavior that we have added in this PR.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/apostrophecms/apostrophe-headless/pull/68#issuecomment-787978821, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27KEVGF5MSEIHEXWYG3TBOOEXANCNFSM4YETJ5OQ .
--
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his
(When an appropriate exception is configured, that is.)
On Mon, Mar 1, 2021 at 10:12 AM Tom Boutell [email protected] wrote:
These are already checked in middleware, that should be sufficient. So it would make more sense to focus on why the existing
self.csrfmethod ofapostrophe-expressis not accepting these URLs. Is it being invoked for these URLs?On Mon, Mar 1, 2021 at 9:12 AM Jose96GIT [email protected] wrote:
Yes, creating individual exceptions for some POST routes was the way that we expected to work, but it doesn't work unless we add the extra behavior that we have added in this PR.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/apostrophecms/apostrophe-headless/pull/68#issuecomment-787978821, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27KEVGF5MSEIHEXWYG3TBOOEXANCNFSM4YETJ5OQ .
--
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his
--
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his
I have reviewed the self.csrf method, and it's working as expected, is making an exception on the routes what are we excluding.
The problem comes on the self.applyCsrfUnlessExemptMiddleware method on apostrophe-headless.
The if condition is always been evaluated as false, so it always goes to self.csrfWithoutExceptions on apostrophe-express.