7.x - CSRF bugfix

[Atmire-Kristof]

References

• Fixes Bug in statistics gathering upon first visit of repository #9236
• Angular side of this PR: #2839
• "main" REST side of this PR: #9368
• "main" Angular side of this PR: #2838

Description

This PR adds a /api/security/csrf endpoint to send POST requests to, which returns the appropriate CSRF headers/cookies, avoiding any subsequent POST request from failing before CSRF headers are set.

Instructions for Reviewers

Changes made:

• A new SecurityRestController with /api/security/csrf POST endpoint
• Disabled CSRF for statistics endpoints
• Modified DSpaceCsrfTokenRepository to create and return CSRF tokens as header and cookie when either one of them is missing from a POST request

For testing, I'd advise setting up both Angular and REST side of this PR (note, when referring to csrf cookie, I'm talking about "DSPACE-XSRF-COOKIE"):

• Load the homepage as anonymous and confirm a csrf POST request is sent to the new endpoint
• Confirm the first "statistics" POST request (should be "viewevents") contains the correct CSRF cookie and header and succeeds
• Confirm the same happens when logged in
• Using curl or any other method (e.g. Postman), copy the statistics request from your browser (containing equal valid CSRF header and cookie) and confirm the response DOES NOT contain the header and cookie
• Modify the request by removing the header, leaving only the cookie and confirm the response DOES contain the new cookie
• Modify the request by removing the cookie, leaving only the header and confirm the response contains the new cookie
• Modify the request by removing both cookie and header and once again, confirm it contains the new cookie
• Modify the request by changing the header/cookie to be different from each other and confirm it contains the new cookie

Checklist

This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome). If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!

• My PR is small in size (e.g. less than 1,000 lines of code, not including comments & integration tests). Exceptions may be made if previously agreed upon.
• My PR passes Checkstyle validation based on the Code Style Guide.
• My PR includes Javadoc for all new (or modified) public methods and classes. It also includes Javadoc for large or complex private methods.
• My PR passes all tests and includes new/updated Unit or Integration Tests based on the Code Testing Guide.
• If my PR includes new libraries/dependencies (in any pom.xml), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.
• If my PR modifies REST API endpoints, I've opened a separate REST Contract PR related to this change.
• If my PR includes new configurations, I've provided basic technical documentation in the PR itself.
• If my PR fixes an issue ticket, I've linked them together.

[tdonohue]

Closing, replaced by #9599 which is a backport of the code added to main for 8.0