New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce frequency of CSRF Tokens being refreshed/reset #3168
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @tdonohue I have put a question inline, can you help me to understand the code?
...pp/src/main/java/org/dspace/app/rest/security/jwt/JWTTokenRestAuthenticationServiceImpl.java
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
Show resolved
Hide resolved
@abollini : I've responded to your questions above. As noted in those responses, I don't think there's any code changes necessary for this PR, but let me know if you disagree. |
I'm ok with the improvement that you have suggested, +1 to merge |
…logout or when passed as a param.
…ogout or when sent via param.
…ies when CSRF token changes.
c9337a3
to
404b828
Compare
References
Loosely related to DSpace/dspace-angular#1024 , but both PRs are standalone and not dependent on one another
Description
While testing batch uploads (see DSpace/dspace-angular#1024), I realized that the CSRF token is being refreshed/changed every time it is used. This means it refreshes on every POST/PUT/PATCH/DELETE request. While this seemed like a good idea in initial implementation, it now seems potentially problematic / complex for batch operations.
The reason is that during a batch upload, the CSRF token can change between every uploaded file (when each file is sent as a separate request). This can be difficult on the client side to achieve/manage, as any batch operations need to carefully monitor the CSRF Token.
It also runs the risk of an (unproven) possible "race" condition: If the client sends the next request before or while reading the response of the last one & that response changes the CSRF token, then the "next request" may include an outdated CSRF token (causing a 403 error).
So, this PR changes the logic so that CSRF Tokens are only reset/refreshed in the following scenarios:
InvalidCsrfTokenException
occurs, as this means the client sent an invalid CSRF token to the server. So, the server should invalidate and send a new one (allowing the client to resync its CSRF token). This scenario is not covered in this PR, as it is already in the codebase in DSpaceAccessDeniedHandlerInstructions for Reviewers
RestAuthenticationService
to make these changes easier to understand.