Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[V2][Sessions] Make it easy/fast to use CSRF tokens with sessions (SPA & regular apps) #802

Merged
merged 23 commits into from
Aug 28, 2020
Merged

[V2][Sessions] Make it easy/fast to use CSRF tokens with sessions (SPA & regular apps) #802

merged 23 commits into from
Aug 28, 2020

Conversation

LoicPoullain
Copy link
Member

@LoicPoullain LoicPoullain commented Aug 21, 2020
edited
Loading

Issue

Fixes #798

Solution

The CSRF protection is managed directly by @TokenXXX and @JWTXXX.

The JWT package has two new functions: setAuthCookie and removeAuthCookie.

Breaking changes

  • The configuration settings.jwt.secretOrPublicKey has been renamed to settings.jwt.secret and settings.jwt.publicKey.
  • The CSRF protection does not need an additional secret anymore or to specify an expire time for the CSRF cookie.
  • The @foal/csrf has been removed. CSRF defense is directly managed by the hooks @Token and @JWT.

Checklist

  • Add/update/check docs (code comments and docs/ folder).
  • Add/update/check tests.
  • Update/check the cli generators.

@LoicPoullain LoicPoullain added this to Work In Progress in Issue tracking via automation Aug 21, 2020
@LoicPoullain LoicPoullain changed the title Csrf simplified [V2][Sessions] Make it easy/fast to use CSRF tokens with sessions (SPA & regular apps) Aug 21, 2020
@LoicPoullain
Include CSRF cookie in set/removeSessionCookie
fb2fe4f
@LoicPoullain
[Acceptance tests] Use new CSRF error message.
6e785fa
@LoicPoullain
[JWT] Add get-secret-or-public-key.
953f8bd
@LoicPoullain
Add getSecretOrPrivateKey
9f01788
@LoicPoullain
[JWT] Add setAuthCookie
3c96f5f
@LoicPoullain
Use jwt.secret and jwt.publicKey
79a9baa
@LoicPoullain
Remove @foal/csrf package
58f7c67
@LoicPoullain
[JWT] Check CSRF token.
e351eb3
@LoicPoullain
[Acceptance tests] Add utils
77bf440
@LoicPoullain
[Acceptance] Stateless CSRF protection in a SPA
fd3795a
@LoicPoullain
[CLI] Remove CSRF from templates
0426143
@LoicPoullain
[Acceptance] Stateful CSRF protection in a SPA
7662adf
@LoicPoullain
[Acceptance] Stateful CSRF protection in a Reg Web
ca48270
@LoicPoullain
Move CSRF to another path
fa8ca48
@LoicPoullain
[Acceptance] Remove @foal/csrf
910e740
@LoicPoullain
[JWT] Add removeAuthCookie
66f1afd
@LoicPoullain
[Docs] Use new CSRF system
0dec389
@LoicPoullain
[Docs] Add removeAuthCookie and setAuthCookie
7ee6879
@LoicPoullain
[Docs] Use new CSRF system.
ca72167
@LoicPoullain LoicPoullain mentioned this pull request Aug 28, 2020
Merged
@LoicPoullain LoicPoullain merged commit 06718af into v2-0-0 Aug 28, 2020
Issue tracking automation moved this from Work In Progress to Done / Closed This Release Aug 28, 2020
@LoicPoullain LoicPoullain deleted the csrf-simplified branch August 28, 2020 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Breaking change enhancement
Projects
Issue tracking
  
Done / Closed This Release
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@LoicPoullain