Skip to content

feat: Implement (but not enforce) CSRF for FE requests #3786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 29 commits into from
Sep 13, 2022
Merged

feat: Implement (but not enforce) CSRF for FE requests #3786

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
52c7575
feat: Implement CSRF in cli client and FE api
Emyrk Aug 31, 2022
642a29f
Make fmt
Emyrk Aug 31, 2022
37c0ba8
const vs let
Emyrk Aug 31, 2022
c774fcc
Fix lint error
presleyp Aug 31, 2022
3c75967
remove bad console log
Emyrk Sep 1, 2022
ab48b4a
Add CSRF token in header
Emyrk Sep 1, 2022
51d856e
Log error if token content is null
presleyp Sep 1, 2022
c8c8be0
Merge branch 'stevenmasley/csrf' of github.com:coder/coder into steve…
presleyp Sep 1, 2022
b03610b
Fix dev server csrf with hardcoded value
Emyrk Sep 1, 2022
e798e11
Do not error log in JS unit test
Emyrk Sep 1, 2022
1c4810a
Make fmt on js files
Emyrk Sep 1, 2022
a6fdac8
Fix agent token checking
Emyrk Sep 1, 2022
a343da9
Fix unit test
Emyrk Sep 1, 2022
dd80cc9
Check auth cookie exists
Emyrk Sep 1, 2022
08e76d4
Fix test auth
Emyrk Sep 1, 2022
0aae08a
Fix logout test
Emyrk Sep 1, 2022
3116964
Merge remote-tracking branch 'origin/main' into stevenmasley/csrf
Emyrk Sep 13, 2022
10b4296
Fix merge issues
Emyrk Sep 13, 2022
7177909
fixup! Fix merge issues
Emyrk Sep 13, 2022
633118e
Make unit test use correct session value
Emyrk Sep 13, 2022
5662a55
puppeteer does not have document defined
Emyrk Sep 13, 2022
86b9ecf
Make fmt
Emyrk Sep 13, 2022
ecaf61f
Update wireguard dep
Emyrk Sep 13, 2022
484fe2b
Add comment about BE cookie
Emyrk Sep 13, 2022
b18ea2e
chore: Ensure multiple version compatibility
Emyrk Sep 13, 2022
b97225f
Merge remote-tracking branch 'origin/main' into stevenmasley/csrf
Emyrk Sep 13, 2022
3f1eedf
Do not enforce CSRF
Emyrk Sep 13, 2022
8f367d2
Add nolint
Emyrk Sep 13, 2022
85dcbfd
Account for devurl cookie
Emyrk Sep 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: Ensure multiple version compatibility
  • Loading branch information
@Emyrk
Emyrk committed Sep 13, 2022
commit b18ea2e90e56c01eddf3c3856a5eeacb4247746c
4 changes: 3 additions & 1 deletion coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,9 @@ func New(options *Options) *API {
next.ServeHTTP(w, r)
})
},
httpmw.CSRF(options.SecureAuthCookie),
// Enable CSRF in November 2022 by uncommenting out this line.
// This is commented out for backwards compatibility.
// httpmw.CSRF(options.SecureAuthCookie),
)

apps := func(r chi.Router) {
Expand Down
8 changes: 8 additions & 0 deletions codersdk/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,14 @@ func (c *Client) Request(ctx context.Context, method, path string, body interfac
return nil, xerrors.Errorf("create request: %w", err)
}
req.Header.Set(SessionCustomHeader, c.SessionToken)

// Delete this custom cookie set in November 2022. This is just to remain
// backwards compatible with older versions of Coder.
req.AddCookie(&http.Cookie{
Name: "session_token",
Value: c.SessionToken,
})

if body != nil {
req.Header.Set("Content-Type", "application/json")
}
Expand Down