Skip to content

feat: enable csrf token header #11283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Dec 19, 2023
Merged

feat: enable csrf token header #11283

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
420684f
feat: enable csrf token header
Emyrk Dec 19, 2023
a91a992
Exempt external auth requets
Emyrk Dec 19, 2023
b1c560f
ensure dev server bypasses CSRF
Emyrk Dec 19, 2023
8b3da6e
fmt
Emyrk Dec 19, 2023
7760ff1
external auth is just get requests
Emyrk Dec 19, 2023
bc6ba7c
Add some more routes
Emyrk Dec 19, 2023
ce38058
Extra assurance nothing breaks
Emyrk Dec 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Exempt external auth requets
  • Loading branch information
@Emyrk
Emyrk committed Dec 19, 2023
commit a91a99229b8b895dc90a1c3be42bc11767a3e7df
6 changes: 4 additions & 2 deletions coderd/httpmw/csrf.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,8 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
}))

// Exempt all requests that do not require CSRF protection.
// All GET requests are exempt by default.
// All GET requests are exempt by default and no not need to be added here.
mw.ExemptPath("/api/v2/csp/reports")

// Top level agent routes.
Expand All @@ -30,6 +29,9 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/me/*"))
// Derp routes
mw.ExemptRegexp(regexp.MustCompile("derp/*"))
// Some extra non-auth
mw.ExemptRegexp(regexp.MustCompile("/externa-auth/*"))
mw.ExemptRegexp(regexp.MustCompile("/github/*"))

mw.ExemptFunc(func(r *http.Request) bool {
// CSRF only affects requests that automatically attach credentials via a cookie.
Expand Down