Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implementation of the csrf signed double submit pattern #3409

Merged
merged 15 commits into from
May 7, 2024
Merged

implementation of the csrf signed double submit pattern #3409

merged 15 commits into from
May 7, 2024

Conversation

thoniTUB
Copy link
Collaborator

No description provided.

@thoniTUB
naive implementation of the csrf double submit pattern
9648ebd 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB thoniTUB requested a review from awildturtok April 25, 2024 13:12
@thoniTUB
Copy link
Collaborator Author

Todo:

  • Signing the cookie value for signed double submit pattern
  • check template if custom rest-method is used everywhere

awildturtok
awildturtok reviewed Apr 25, 2024
View reviewed changes
backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java Outdated
public static final String CSRF_TOKEN_PROPERTY = "csrf_token";
public static final int TOKEN_LENGTH = 30;

Random random = new SecureRandom();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

private final?

thoniTUB added 6 commits April 25, 2024 21:14
@thoniTUB
fixes admin ui templates
cdcb67b 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
updates gh actions
43750c9 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
change fetch to rest call everywhere
ff3c67f 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
more github action updates
ee7ae75 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
adds signing of csrf cookie
7d506c6 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
adds readme, timers, and csrf check property for the request
867554e 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB thoniTUB changed the title naive implementation of the csrf double submit pattern implementation of the csrf signed double submit pattern Apr 29, 2024
@thoniTUB thoniTUB marked this pull request as ready for review April 29, 2024 12:48
@thoniTUB thoniTUB requested a review from awildturtok April 29, 2024 15:12
awildturtok
awildturtok approved these changes Apr 29, 2024
View reviewed changes
Copy link
Collaborator

@awildturtok awildturtok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Änderungen sind alles nits, kannst du gerade die admin-ui, bitte in einer staging instanz testen?

backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java Outdated
null,
0,
null,
3600,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

magic number auf der TTL?

backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java Outdated
final StopWatch stopwatch = new StopWatch("Generate csrf token");

stopwatch.start();
final Hash hash = Password.hash(csrfToken).addRandomSalt(32).with(HASH_FUNCTION);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

magic number?

backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java Outdated Show resolved Hide resolved
backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java Outdated
Comment on lines 98 to 103
final StopWatch stopwatch = new StopWatch("Check csrf token");
stopwatch.start();
final boolean decision = Password.check(token, saltedHash).addSalt(salt).with(HASH_FUNCTION);
stopwatch.stop();

log.trace("Checked token in {}", stopwatch);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s.o.

thoniTUB and others added 4 commits April 30, 2024 07:29
@thoniTUB @awildturtok
Update backend/src/main/java/com/bakdata/conquery/models/auth/web/csr…
5b4c18b 
…f/CsrfTokenSetFilter.java

Co-authored-by: awildturtok <1553491+awildturtok@users.noreply.github.com>
@thoniTUB
review changes
da7d3ca 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
rename DefaultAuthFilter -> Authfilter
717b922 
order filter priorities
remove csrf-check property

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
Merge branch 'develop' into feature/crsf-filter
c0c91ab
@thoniTUB
Copy link
Collaborator Author

thoniTUB commented May 6, 2024

@awildturtok mir war noch ein Problem, mit der Redirection nach einer Authentifizierung aufgefallen, welches ich jetzt gefixt habe.

Mergen werde ich aber erst nach dem heutigen release

thoniTUB added 2 commits May 6, 2024 13:13
@thoniTUB
update readme
0a48af0 
Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
@thoniTUB
Merge branch 'develop' into feature/crsf-filter
3c9cc9e
@thoniTUB thoniTUB enabled auto-merge May 7, 2024 09:01
@thoniTUB thoniTUB merged commit 85043bd into develop May 7, 2024
6 checks passed
@delete-merged-branch delete-merged-branch bot deleted the feature/crsf-filter branch May 7, 2024 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awildturtok awildturtok awildturtok approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thoniTUB @awildturtok