Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: do not use csrf for meta endpoints #1927

Merged
merged 6 commits into from
Nov 8, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions cmd/daemon/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,12 @@ func ServePublic(r driver.Registry, wg *sync.WaitGroup, cmd *cobra.Command, args
r.WithCSRFHandler(csrf)
n.UseHandler(r.CSRFHandler())

// Disable CSRF for these endpoints
csrf.DisablePath(healthx.AliveCheckPath)
csrf.DisablePath(healthx.ReadyCheckPath)
csrf.DisablePath(healthx.VersionPath)
csrf.DisablePath(prometheus.MetricsPrometheusPath)

r.RegisterPublicRoutes(ctx, router)
r.PrometheusManager().RegisterRouter(router.Router)

Expand Down
4 changes: 3 additions & 1 deletion driver/registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ import (
"github.com/gorilla/sessions"
"github.com/pkg/errors"

"github.com/ory/nosurf"

"github.com/ory/x/logrusx"

"github.com/ory/kratos/continuity"
Expand Down Expand Up @@ -45,7 +47,7 @@ type Registry interface {

WithLogger(l *logrusx.Logger) Registry

WithCSRFHandler(c x.CSRFHandler)
WithCSRFHandler(c nosurf.Handler)
WithCSRFTokenGenerator(cg x.CSRFToken)

HealthHandler(ctx context.Context) *healthx.Handler
Expand Down
8 changes: 5 additions & 3 deletions driver/registry_default.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import (
"sync"
"time"

"github.com/ory/nosurf"

"github.com/ory/kratos/selfservice/strategy/webauthn"

"github.com/ory/kratos/selfservice/strategy/lookup"
Expand Down Expand Up @@ -70,7 +72,7 @@ type RegistryDefault struct {

injectedSelfserviceHooks map[string]func(config.SelfServiceHook) interface{}

nosurf x.CSRFHandler
nosurf nosurf.Handler
trc *tracing.Tracer
pmm *prometheus.MetricsManager
writer herodot.Writer
Expand Down Expand Up @@ -239,11 +241,11 @@ func (m *RegistryDefault) MetricsHandler() *prometheus.Handler {
return m.metricsHandler
}

func (m *RegistryDefault) WithCSRFHandler(c x.CSRFHandler) {
func (m *RegistryDefault) WithCSRFHandler(c nosurf.Handler) {
m.nosurf = c
}

func (m *RegistryDefault) CSRFHandler() x.CSRFHandler {
func (m *RegistryDefault) CSRFHandler() nosurf.Handler {
if m.nosurf == nil {
panic("csrf handler is not set")
}
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ require (
github.com/ory/jsonschema/v3 v3.0.4
github.com/ory/kratos-client-go v0.6.3-alpha.1
github.com/ory/mail/v3 v3.0.0
github.com/ory/nosurf v1.2.5
github.com/ory/nosurf v1.2.6
github.com/ory/x v0.0.300
github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2
github.com/pkg/errors v0.9.1
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1572,8 +1572,8 @@ github.com/ory/mail v2.3.1+incompatible h1:vHntHDHtQXamt2T+iwTTlCoBkDvILUeujE9Oc
github.com/ory/mail v2.3.1+incompatible/go.mod h1:87D9/1gB6ewElQoN0lXJ0ayfqcj3cW3qCTXh+5E9mfU=
github.com/ory/mail/v3 v3.0.0 h1:8LFMRj473vGahFD/ntiotWEd4S80FKYFtiZTDfOQ+sM=
github.com/ory/mail/v3 v3.0.0/go.mod h1:JGAVeZF8YAlxbaFDUHqRZAKBCSeW2w1vuxf28hFbZAw=
github.com/ory/nosurf v1.2.5 h1:3PkEwcMd9BYpMD96PTCwJTNV8we69SbO+cgI8p1oeOA=
github.com/ory/nosurf v1.2.5/go.mod h1:d4L3ZBa7Amv55bqxCBtCs63wSlyaiCkWVl4vKf3OUxA=
github.com/ory/nosurf v1.2.6 h1:bC+VQjNeO2quPnnl0d6m27irK1uHK9hHnwcDi/JOGlk=
github.com/ory/nosurf v1.2.6/go.mod h1:d4L3ZBa7Amv55bqxCBtCs63wSlyaiCkWVl4vKf3OUxA=
github.com/ory/viper v1.5.6/go.mod h1:TYmpFpKLxjQwvT4f0QPpkOn4sDXU1kDgAwJpgLYiQ28=
github.com/ory/viper v1.7.4/go.mod h1:T6sodNZKNGPpashUOk7EtXz2isovz8oCd57GNVkkNmE=
github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE=
Expand Down
13 changes: 12 additions & 1 deletion session/manager_http_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ import (
"testing"
"time"

"github.com/ory/nosurf"

"github.com/ory/kratos/driver"

"github.com/ory/x/urlx"
Expand All @@ -24,12 +26,21 @@ import (
"github.com/ory/kratos/x"
)

var _ x.CSRFHandler = new(mockCSRFHandler)
var _ nosurf.Handler = new(mockCSRFHandler)

type mockCSRFHandler struct {
c int
}

func (f *mockCSRFHandler) DisablePath(s string) {
}

func (f *mockCSRFHandler) DisableGlob(s string) {
}

func (f *mockCSRFHandler) DisableGlobs(s ...string) {
}

func (f *mockCSRFHandler) IgnoreGlob(s string) {
}

Expand Down
24 changes: 12 additions & 12 deletions x/nosurf.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ func FakeCSRFTokenGeneratorWithToken(token string) func(r *http.Request) string
}
}

var _ CSRFHandler = new(FakeCSRFHandler)
var _ nosurf.Handler = new(FakeCSRFHandler)

type FakeCSRFHandler struct{ name string }

Expand All @@ -93,6 +93,15 @@ func NewFakeCSRFHandler(name string) *FakeCSRFHandler {
}
}

func (f *FakeCSRFHandler) DisablePath(s string) {
}

func (f *FakeCSRFHandler) DisableGlob(s string) {
}

func (f *FakeCSRFHandler) DisableGlobs(s ...string) {
}

func (f *FakeCSRFHandler) ExemptPath(s string) {
}

Expand All @@ -113,16 +122,7 @@ func (f *FakeCSRFHandler) RegenerateToken(w http.ResponseWriter, r *http.Request
}

type CSRFProvider interface {
CSRFHandler() CSRFHandler
}

type CSRFHandler interface {
http.Handler
RegenerateToken(w http.ResponseWriter, r *http.Request) string
ExemptPath(string)
IgnorePath(string)
IgnoreGlob(string)
IgnoreGlobs(...string)
CSRFHandler() nosurf.Handler
}

func CSRFCookieName(reg interface {
Expand Down Expand Up @@ -233,7 +233,7 @@ func NewCSRFHandler(
}

func NewTestCSRFHandler(router http.Handler, reg interface {
WithCSRFHandler(CSRFHandler)
WithCSRFHandler(handler nosurf.Handler)
WithCSRFTokenGenerator(CSRFToken)
WriterProvider
LoggingProvider
Expand Down