[server/xsrf] require more explicit command to disable xsrf

2025-04-24 01:38:56 -04:00 · 2015-11-09 11:31:24 -06:00 · 2015-11-09 11:31:24 -06:00 · d8aabbbb13
commit d8aabbbb13
parent 9ec5a2c21f
4 changed files with 12 additions and 11 deletions
--- a/src/plugins/elasticsearch/lib/tests/routes.js
+++ b/src/plugins/elasticsearch/lib/tests/routes.js
@ -15,7 +15,9 @@ describe('plugins/elasticsearch', function () {
      kbnServer = new KbnServer({
        server: {
          autoListen: false,
-          xsrfToken: false
+          xsrf: {
+            disableProtection: true
+          }
        },
        logging: { quiet: true },
        plugins: {
--- a/src/server/config/schema.js
+++ b/src/server/config/schema.js
@ -41,11 +41,10 @@ module.exports = () => Joi.object({
      }),
      otherwise: Joi.boolean().default(false)
    }),
-    xsrfToken: Joi
-    .alternatives()
-    .try(Joi.string())
-    .try(Joi.allow(false))
-    .default(randomBytes(256).toString('hex'))
+    xsrf: Joi.object({
+      token: Joi.string().default(randomBytes(256).toString('hex')),
+      disableProtection: Joi.boolean().default(false),
+    }).default(),
  }).default(),

  logging: Joi.object().keys({
--- a/src/server/http/tests/xsrf.js
+++ b/src/server/http/tests/xsrf.js
@ -11,7 +11,7 @@ const fromFixture = resolve.bind(null, __dirname, '../../../fixtures/');
 describe('xsrf request filter', function () {
  async function makeServer(token, ssl) {
    const kbnServer = new KbnServer({
-      server: { autoListen: false, xsrfToken: token, ssl: ssl },
+      server: { autoListen: false, ssl: ssl, xsrf: { token } },
      logging: { quiet: true },
      optimize: { enabled: false },
    });
--- a/src/server/http/xsrf.js
+++ b/src/server/http/xsrf.js
@ -1,7 +1,9 @@
 import { forbidden } from 'boom';

 export default function (kbnServer, server, config) {
-  const token = config.get('server.xsrfToken');
+  const token = config.get('server.xsrf.token');
+  const disabled = config.get('server.xsrf.disableProtection');
+
  const stateOpts = {
    isSecure: Boolean(config.get('server.ssl.cert') && config.get('server.ssl.key')),
    isHttpOnly: false,
@ -9,9 +11,7 @@ export default function (kbnServer, server, config) {
  };

  server.ext('onPostAuth', function (req, reply) {
-    if (!token) {
-      return reply.continue();
-    }
+    if (disabled) return reply.continue();

    if (req.method === 'get' && !req.state['XSRF-TOKEN'] && !req.headers['x-xsrf-token']) {
      reply.state('XSRF-TOKEN', token, stateOpts);