feat: Implement CSRF in cli client and FE api

Emyrk · Emyrk · commit 52c757531a26 · 2022-08-31T17:09:45.000-04:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -130,6 +130,7 @@ func New(options *Options) *API {
 		httpmw.Recover(api.Logger),
 		httpmw.Logger(api.Logger),
 		httpmw.Prometheus(options.PrometheusRegistry),
+		httpmw.CSRF(options.SecureAuthCookie),
 	)
 
 	apps := func(r chi.Router) {
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -82,12 +82,29 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs, redirectToLogin bool
 			}
 
 			var cookieValue string
+			// Find the session token from:
+			// 1: The cookie
+			// 2: The old cookie
+			// 3. The coder_session_token query parameter
+			// 4. The custom auth header
 			cookie, err := r.Cookie(codersdk.SessionTokenKey)
 			if err != nil {
-				cookieValue = r.URL.Query().Get(codersdk.SessionTokenKey)
+				// TODO: @emyrk in October 2022, remove this oldCookie check.
+				//	This is just to support the old cli for 1 release. Then everyone
+				//	must update.
+				oldCookie, err := r.Cookie("session_token")
+				if err != nil {
+					cookieValue = r.URL.Query().Get(codersdk.SessionTokenKey)
+					if cookieValue == "" {
+						cookieValue = r.Header.Get(codersdk.SessionCustomHeader)
+					}
+				} else {
+					cookieValue = oldCookie.Value
+				}
 			} else {
 				cookieValue = cookie.Value
 			}
+
 			if cookieValue == "" {
 				write(http.StatusUnauthorized, codersdk.Response{
 					Message: signedOutErrorMessage,
diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go
@@ -74,10 +74,7 @@ func TestAPIKey(t *testing.T) {
 			r  = httptest.NewRequest("GET", "/", nil)
 			rw = httptest.NewRecorder()
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: "test-wow-hello",
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, "test-wow-hello")
 
 		httpmw.ExtractAPIKey(db, nil, false)(successHandler).ServeHTTP(rw, r)
 		res := rw.Result()
@@ -92,10 +89,7 @@ func TestAPIKey(t *testing.T) {
 			r  = httptest.NewRequest("GET", "/", nil)
 			rw = httptest.NewRecorder()
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: "test-wow",
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, "test-wow")
 
 		httpmw.ExtractAPIKey(db, nil, false)(successHandler).ServeHTTP(rw, r)
 		res := rw.Result()
@@ -110,10 +104,7 @@ func TestAPIKey(t *testing.T) {
 			r  = httptest.NewRequest("GET", "/", nil)
 			rw = httptest.NewRecorder()
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: "testtestid-wow",
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, "testtestid-wow")
 
 		httpmw.ExtractAPIKey(db, nil, false)(successHandler).ServeHTTP(rw, r)
 		res := rw.Result()
@@ -129,10 +120,7 @@ func TestAPIKey(t *testing.T) {
 			r          = httptest.NewRequest("GET", "/", nil)
 			rw         = httptest.NewRecorder()
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		httpmw.ExtractAPIKey(db, nil, false)(successHandler).ServeHTTP(rw, r)
 		res := rw.Result()
@@ -149,10 +137,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		// Use a different secret so they don't match!
 		hashed := sha256.Sum256([]byte("differentsecret"))
@@ -178,10 +163,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		_, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
 			ID:           id,
@@ -206,10 +188,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		sentAPIKey, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
 			ID:           id,
@@ -280,10 +259,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		sentAPIKey, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
 			ID:           id,
@@ -316,10 +292,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		sentAPIKey, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
 			ID:           id,
@@ -352,10 +325,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		sentAPIKey, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
 			ID:           id,
@@ -395,10 +365,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		sentAPIKey, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
 			ID:           id,
@@ -449,10 +416,7 @@ func TestAPIKey(t *testing.T) {
 			user       = createUser(r.Context(), t, db)
 		)
 		r.RemoteAddr = "1.1.1.1:3555"
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		_, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
 			ID:           id,
diff --git a/coderd/httpmw/authorize_test.go b/coderd/httpmw/authorize_test.go
@@ -93,10 +93,7 @@ func TestExtractUserRoles(t *testing.T) {
 			})
 
 			req := httptest.NewRequest("GET", "/", nil)
-			req.AddCookie(&http.Cookie{
-				Name:  codersdk.SessionTokenKey,
-				Value: token,
-			})
+			req.Header.Set(codersdk.SessionCustomHeader, token)
 
 			rtr.ServeHTTP(rw, req)
 			resp := rw.Result()
diff --git a/coderd/httpmw/csrf.go b/coderd/httpmw/csrf.go
@@ -0,0 +1,63 @@
+package httpmw
+
+import (
+	"net/http"
+	"regexp"
+
+	"github.com/justinas/nosurf"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/codersdk"
+)
+
+// CSRF is a middleware that verifies that a CSRF token is present in the request
+// for non-GET requests.
+func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		mw := nosurf.New(next)
+		mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: secureCookie})
+		mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
+		}))
+
+		// Exempt all requests that do not require CSRF protection.
+		// All GET requests are exempt by default.
+		mw.ExemptPath("/api/v2/csp/reports")
+
+		// Top level agent routes.
+		mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/[^/]*$"))
+		// Agent authenticated routes
+		mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/me/*"))
+
+		mw.ExemptFunc(func(r *http.Request) bool {
+			// CSRF only affects requests that automatically attach credentials via a cookie.
+			// If no cookie is present, then there is no risk of CSRF.
+			sessCookie, err := r.Cookie(codersdk.SessionTokenKey)
+			if xerrors.Is(err, http.ErrNoCookie) {
+				return true
+			}
+
+			if token := r.Header.Get(codersdk.SessionCustomHeader); token == sessCookie.Value {
+				// If the cookie and header match, we can assume this is the same as just using the
+				// custom header auth. Custom header auth can bypass CSRF, as CSRF attacks
+				// cannot add custom headers.
+				return true
+			}
+
+			if token := r.URL.Query().Get(codersdk.SessionTokenKey); token == sessCookie.Value {
+				// If the auth is set in a url param and matches the cookie, it
+				// is the same as just using the url param.
+				return true
+			}
+
+			// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.
+			// This is the CSRF check.
+			sent := r.Header.Get("X-CSRF-TOKEN")
+			if sent != "" {
+				return nosurf.VerifyToken(nosurf.Token(r), sent)
+			}
+			return false
+		})
+		return mw
+	}
+}
diff --git a/coderd/httpmw/organizationparam_test.go b/coderd/httpmw/organizationparam_test.go
@@ -29,10 +29,7 @@ func TestOrganizationParam(t *testing.T) {
 			r          = httptest.NewRequest("GET", "/", nil)
 			hashed     = sha256.Sum256([]byte(secret))
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		userID := uuid.New()
 		username, err := cryptorand.String(8)
diff --git a/coderd/httpmw/templateparam_test.go b/coderd/httpmw/templateparam_test.go
@@ -29,10 +29,7 @@ func TestTemplateParam(t *testing.T) {
 			hashed     = sha256.Sum256([]byte(secret))
 		)
 		r := httptest.NewRequest("GET", "/", nil)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		userID := uuid.New()
 		username, err := cryptorand.String(8)
diff --git a/coderd/httpmw/templateversionparam_test.go b/coderd/httpmw/templateversionparam_test.go
@@ -29,10 +29,7 @@ func TestTemplateVersionParam(t *testing.T) {
 			hashed     = sha256.Sum256([]byte(secret))
 		)
 		r := httptest.NewRequest("GET", "/", nil)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		userID := uuid.New()
 		username, err := cryptorand.String(8)
diff --git a/coderd/httpmw/userparam_test.go b/coderd/httpmw/userparam_test.go
@@ -29,10 +29,7 @@ func TestUserParam(t *testing.T) {
 			r          = httptest.NewRequest("GET", "/", nil)
 			rw         = httptest.NewRecorder()
 		)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		user, err := db.InsertUser(r.Context(), database.InsertUserParams{
 			ID:       uuid.New(),
diff --git a/coderd/httpmw/workspaceagent_test.go b/coderd/httpmw/workspaceagent_test.go
@@ -22,10 +22,7 @@ func TestWorkspaceAgent(t *testing.T) {
 	setup := func(db database.Store) (*http.Request, uuid.UUID) {
 		token := uuid.New()
 		r := httptest.NewRequest("GET", "/", nil)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: token.String(),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, token.String())
 		return r, token
 	}
 
diff --git a/coderd/httpmw/workspaceagentparam_test.go b/coderd/httpmw/workspaceagentparam_test.go
@@ -29,10 +29,7 @@ func TestWorkspaceAgentParam(t *testing.T) {
 			hashed     = sha256.Sum256([]byte(secret))
 		)
 		r := httptest.NewRequest("GET", "/", nil)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		userID := uuid.New()
 		username, err := cryptorand.String(8)
diff --git a/coderd/httpmw/workspacebuildparam_test.go b/coderd/httpmw/workspacebuildparam_test.go
@@ -29,10 +29,7 @@ func TestWorkspaceBuildParam(t *testing.T) {
 			hashed     = sha256.Sum256([]byte(secret))
 		)
 		r := httptest.NewRequest("GET", "/", nil)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		userID := uuid.New()
 		username, err := cryptorand.String(8)
diff --git a/coderd/httpmw/workspaceparam_test.go b/coderd/httpmw/workspaceparam_test.go
@@ -32,10 +32,7 @@ func TestWorkspaceParam(t *testing.T) {
 			hashed     = sha256.Sum256([]byte(secret))
 		)
 		r := httptest.NewRequest("GET", "/", nil)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		userID := uuid.New()
 		username, err := cryptorand.String(8)
@@ -340,10 +337,7 @@ func setupWorkspaceWithAgents(t testing.TB, cfg setupConfig) (database.Store, *h
 		hashed     = sha256.Sum256([]byte(secret))
 	)
 	r := httptest.NewRequest("GET", "/", nil)
-	r.AddCookie(&http.Cookie{
-		Name:  codersdk.SessionTokenKey,
-		Value: fmt.Sprintf("%s-%s", id, secret),
-	})
+	r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 	userID := uuid.New()
 	username, err := cryptorand.String(8)
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -20,9 +20,11 @@ import (
 // Be sure to strip additional cookies in httpapi.StripCoder Cookies!
 const (
 	// SessionTokenKey represents the name of the cookie or query parameter the API key is stored in.
-	SessionTokenKey   = "session_token"
-	OAuth2StateKey    = "oauth_state"
-	OAuth2RedirectKey = "oauth_redirect"
+	SessionTokenKey = "coder_session_token"
+	// SessionCustomHeader is the custom header to use for authentication.
+	SessionCustomHeader = "Coder-Session-Token"
+	OAuth2StateKey      = "oauth_state"
+	OAuth2RedirectKey   = "oauth_redirect"
 )
 
 // New creates a Coder client for the provided URL.
@@ -70,10 +72,7 @@ func (c *Client) Request(ctx context.Context, method, path string, body interfac
 	if err != nil {
 		return nil, xerrors.Errorf("create request: %w", err)
 	}
-	req.AddCookie(&http.Cookie{
-		Name:  SessionTokenKey,
-		Value: c.SessionToken,
-	})
+	req.Header.Set(SessionCustomHeader, c.SessionToken)
 	if body != nil {
 		req.Header.Set("Content-Type", "application/json")
 	}
diff --git a/site/src/api/api.ts b/site/src/api/api.ts

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,7 @@ func New(options Options) API {`
`130`	`130`	`httpmw.Recover(api.Logger),`
`131`	`131`	`httpmw.Logger(api.Logger),`
`132`	`132`	`httpmw.Prometheus(options.PrometheusRegistry),`
	`133`	`+ httpmw.CSRF(options.SecureAuthCookie),`
`133`	`134`	`)`
`134`	`135`
`135`	`136`	`apps := func(r chi.Router) {`