Skip to content

Commit

Permalink
Force path and domain on CSRF cookie
Browse files Browse the repository at this point in the history
Closes #68
  • Loading branch information
aeneasr committed Aug 8, 2019
1 parent a4b594c commit d7ab91c
Show file tree
Hide file tree
Showing 7 changed files with 38 additions and 6 deletions.
10 changes: 9 additions & 1 deletion cmd/daemon/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"net/http"
"sync"

"github.com/ory/x/flagx"
"github.com/ory/x/healthx"

"github.com/sirupsen/logrus"
Expand Down Expand Up @@ -37,7 +38,14 @@ func servePublic(d driver.Driver, wg *sync.WaitGroup, cmd *cobra.Command, args [
r.ErrorHandler().RegisterPublicRoutes(router)

n.Use(NewNegroniLoggerMiddleware(l.(*logrus.Logger), "public#"+c.SelfPublicURL().String()))
r.WithCSRFHandler(x.NewCSRFHandler(router, r.Writer()))
r.WithCSRFHandler(x.NewCSRFHandler(
router,
r.Writer(),
l,
c.SelfPublicURL().Path,
c.SelfPublicURL().Hostname(),
!flagx.MustGetBool(cmd, "dev"),
))
n.UseHandler(
r.CSRFHandler(),
)
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
module github.com/ory/hive

replace github.com/justinas/nosurf => ../../justinas/nosurf

require (
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
github.com/bxcodec/faker v2.0.1+incompatible
Expand Down
3 changes: 2 additions & 1 deletion selfservice/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/google/uuid"
"github.com/julienschmidt/httprouter"
"github.com/justinas/nosurf"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/tidwall/gjson"
Expand Down Expand Up @@ -40,7 +41,7 @@ func TestLogoutHandler(t *testing.T) {

router := x.NewRouterPublic()
handler.RegisterPublicRoutes(router)
reg.WithCSRFHandler(x.NewCSRFHandler(router, reg.Writer()))
reg.WithCSRFHandler(x.NewCSRFHandler(router, reg.Writer(), logrus.New(), "/", "", false))
ts := httptest.NewServer(reg.CSRFHandler())
defer ts.Close()

Expand Down
2 changes: 1 addition & 1 deletion selfservice/oidc/strategy.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ import (
)

const (
BasePath = "/methods/oidc"
BasePath = "/auth/browser/methods/oidc"
AuthPath = BasePath + "/auth/:request"
CallbackPath = BasePath + "/callback/:provider"
)
Expand Down
2 changes: 1 addition & 1 deletion selfservice/password/login.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import (
)

const (
LoginPath = "/auth/browser/login/methods/password"
LoginPath = "/auth/browser/methods/password/login"
)

func (s *Strategy) setLoginRoutes(r *x.RouterPublic) {
Expand Down
2 changes: 1 addition & 1 deletion selfservice/password/registration.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import (
)

const (
RegistrationPath = "/auth/browser/registration/methods/password"
RegistrationPath = "/auth/browser/methods/password/registration"
)

type RegistrationFormPayload struct {
Expand Down
23 changes: 22 additions & 1 deletion x/nosurf.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (

"github.com/justinas/nosurf"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"

"github.com/ory/herodot"
)
Expand All @@ -13,9 +14,29 @@ type CSRFProvider interface {
CSRFHandler() *nosurf.CSRFHandler
}

func NewCSRFHandler(router http.Handler, writer herodot.Writer) *nosurf.CSRFHandler {
func NewCSRFHandler(
router http.Handler,
writer herodot.Writer,
logger logrus.FieldLogger,
path string,
domain string,
secure bool,
) *nosurf.CSRFHandler {
n := nosurf.New(router)
n.SetBaseCookie(http.Cookie{
MaxAge: nosurf.MaxAge,
Path: path,
Domain: domain,
HttpOnly: true,
Secure: secure,
})
n.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
logger.
WithField("expected_token", nosurf.Token(r)).
WithField("received_token", r.Form.Get("csrf_token")).
WithField("received_token_form", r.PostForm.Get("csrf_token")).
Warn("A request failed due to a missing or invalid csrf_token value")

writer.WriteError(w, r, errors.WithStack(herodot.ErrBadRequest.WithReasonf("CSRF token is missing or invalid.")))
}))
return n
Expand Down

0 comments on commit d7ab91c

Please sign in to comment.