[server] added xsrf protection

2025-04-24 09:48:58 -04:00 · 2015-11-06 14:57:01 -06:00 · 2015-11-06 14:57:01 -06:00 · 79b1b0f151
commit 79b1b0f151
parent 76261fd87a
3 changed files with 29 additions and 1 deletions
--- a/src/server/config/schema.js
+++ b/src/server/config/schema.js
@ -5,6 +5,7 @@ let path = require('path');

 let utils = require('requirefrom')('src/utils');
 let fromRoot = utils('fromRoot');
+const randomBytes = require('crypto').randomBytes;

 module.exports = () => Joi.object({
  pkg: Joi.object({
@ -39,7 +40,8 @@ module.exports = () => Joi.object({
        origin: ['*://localhost:9876'] // karma test server
      }),
      otherwise: Joi.boolean().default(false)
-    })
+    }),
+    xsrfToken: Joi.string().default(randomBytes(256).toString('hex'))
  }).default(),

  logging: Joi.object().keys({
--- a/src/server/http/index.js
+++ b/src/server/http/index.js
@ -119,4 +119,6 @@ module.exports = function (kbnServer, server, config) {
      .permanent(true);
    }
  });
+
+  return kbnServer.mixin(require('./xsrf'));
 };
--- a/src/server/http/xsrf.js
+++ b/src/server/http/xsrf.js
@ -0,0 +1,24 @@
+import { forbidden } from 'boom';
+
+export default function (kbnServer, server, config) {
+  const token = config.get('server.xsrfToken');
+  const stateOpts = {
+    isSecure: config.get('server.ssl.cert') && config.get('server.ssl.key'),
+    isHttpOnly: false,
+    path: '/',
+  };
+
+  server.ext('onPostAuth', function (req, reply) {
+    if (req.method === 'get' && !req.state['XSRF-TOKEN'] && !req.headers['x-xsrf-token']) {
+      reply.state('XSRF-TOKEN', token, stateOpts);
+    }
+
+    if (req.method === 'get' || req.headers['x-xsrf-token'] === token) {
+      reply.continue();
+    } else if (!req.headers['x-xsrf-token']) {
+      reply(forbidden('Missing XSRF token'));
+    } else {
+      reply(forbidden('Invalid XSRF token'));
+    }
+  });
+}