hedgedoc icon indicating copy to clipboard operation
hedgedoc copied to clipboard

Published 20 hours ago verified publisher icon hedgedoc

CSRF tokens

Open ErikMichelson opened this issue 5 years ago • 3 comments

While writing some docs for the API, I saw that many endpoints do not need a csrf-token that maybe should need one. While a simple /logout just disturbs the user, a DELETE /history might produce some damage... Maybe we could add a random token into the sessionStorage during login, keep track of that token server-side and use that? Or we use the "delete-profile-token"?

ErikMichelson avatar Oct 13 '19 00:10 ErikMichelson

Yes, we should do proper CSRF, the delete-profile-token is pretty much a cheap version of CSRF.

There is middleware for express that implements CSRF, I just didn't find the time to figure out all places where we want to put it.

https://github.com/expressjs/csurf

Might be something for Hacktoberfest, when we figure out what calls need it.

SISheogorath avatar Oct 13 '19 09:10 SISheogorath

I think once the basic facilities are in place, adding to or removing from certain requests is probably not a big deal. I'd say: if anyone wants to work on this: give it a go!

ccoenen avatar Oct 13 '19 22:10 ccoenen

If I understand it correctly, we can still use the express plugin with NestJS. This would work like this:

  • The backend sends a CSRF-Token in a cookie, lets call that XSRF-TOKEN
  • The frontend gets the token from the XSRF-TOKEN cookie and adds it to every request in a XSRF-Token header
  • The server verifies that all requests contain a XSRF-Token header with a valid token.

Reference: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

davidmehren avatar Mar 06 '21 17:03 davidmehren