Include csrf in jwt. Add double submit csrf validation

EvalVis · EvalVis · commit 7e49545ba0a4 · 2024-01-26T21:42:15.000+02:00
diff --git a/security/pom.xml b/security/pom.xml
@@ -11,7 +11,7 @@
 
   <groupId>com.evalvis</groupId>
   <artifactId>security</artifactId>
-  <version>2.2.2</version>
+  <version>2.3.0</version>
   <name>security</name>
 
   <distributionManagement>
diff --git a/security/src/main/java/com/evalvis/security/JwtFilter.java b/security/src/main/java/com/evalvis/security/JwtFilter.java
@@ -33,7 +33,7 @@ protected void doFilterInternal(
             JwtToken.existing(request, key.value(), blacklistedJwtTokenRedisRepository)
                     .ifPresent(
                             token -> {
-                                if (token.tokenIsValid()) {
+                                if (token.tokenIsValid() && csrfDoubleSubmitTokenIsValid(request, token)) {
                                     UserDetails userDetails = new User(token.username(), null);
                                     UsernamePasswordAuthenticationToken authentication =
                                             new UsernamePasswordAuthenticationToken(
@@ -51,4 +51,8 @@ protected void doFilterInternal(
         }
         filterChain.doFilter(request, response);
     }
+
+    private boolean csrfDoubleSubmitTokenIsValid(HttpServletRequest request, JwtToken token) {
+        return request.getHeader("X-CSRF-TOKEN").equals(token.csrfToken());
+    }
 }
diff --git a/security/src/main/java/com/evalvis/security/JwtToken.java b/security/src/main/java/com/evalvis/security/JwtToken.java
@@ -12,9 +12,8 @@
 import org.springframework.util.StringUtils;
 
 import javax.crypto.SecretKey;
-import java.util.Arrays;
-import java.util.Date;
-import java.util.Optional;
+import java.security.SecureRandom;
+import java.util.*;
 
 public final class JwtToken {
     private static final Logger logger = LoggerFactory.getLogger(JwtToken.class);
@@ -31,6 +30,7 @@ public static JwtToken create(
                 Jwts
                         .builder()
                         .subject(((User) authentication.getPrincipal()).getUsername())
+                        .claim("csrfToken", generateCsrfToken())
                         .issuedAt(new Date())
                         .expiration(new Date((new Date()).getTime() + jwtExpirationMs))
                         .signWith(key)
@@ -40,6 +40,12 @@ public static JwtToken create(
         );
     }
 
+    public static String generateCsrfToken() {
+        byte[] randomBytes = new byte[32];
+        new SecureRandom().nextBytes(randomBytes);
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(randomBytes);
+    }
+
     public static Optional<JwtToken> existing(
             HttpServletRequest request, SecretKey key, BlacklistedJwtTokenRepository blacklistedJwtTokenRepository
     ) {
@@ -89,6 +95,12 @@ public Date expirationDate() {
         return Jwts.parser().verifyWith(key).build().parseSignedClaims(token).getPayload().getExpiration();
     }
 
+    public String csrfToken() {
+        return Jwts.parser().verifyWith(key).build().parseSignedClaims(token).getPayload().get(
+                "csrfToken", String.class
+        );
+    }
+
     public boolean tokenIsValid() {
         try {
             Jwts.parser().verifyWith(key).build().parse(token);
diff --git a/security/src/test/java/com/evalvis/security/ITTests.java b/security/src/test/java/com/evalvis/security/ITTests.java
@@ -10,6 +10,7 @@
 import org.springframework.test.context.ActiveProfiles;
 
 import java.io.IOException;
+import java.util.Map;
 
 import static org.junit.jupiter.api.Assertions.*;
 
@@ -52,7 +53,10 @@ void blacklistsToken() {
     private void login(JwtToken token) {
         try {
             jwtFilter.doFilterInternal(
-                    new FakeHttpServletRequest(new Cookie[]{new Cookie("jwt", token.value())}),
+                    new FakeHttpServletRequest(
+                            Map.of("X-CSRF-TOKEN", token.csrfToken()),
+                            new Cookie[]{new Cookie("jwt", token.value())}
+                    ),
                     new FakeHttpServletResponse(),
                     new FakeFilterChain()
             );

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ protected void doFilterInternal(`
`33`	`33`	`JwtToken.existing(request, key.value(), blacklistedJwtTokenRedisRepository)`
`34`	`34`	`.ifPresent(`
`35`	`35`	`token -> {`
`36`		`- if (token.tokenIsValid()) {`
	`36`	`+ if (token.tokenIsValid() && csrfDoubleSubmitTokenIsValid(request, token)) {`
`37`	`37`	`UserDetails userDetails = new User(token.username(), null);`
`38`	`38`	`UsernamePasswordAuthenticationToken authentication =`
`39`	`39`	`new UsernamePasswordAuthenticationToken(`
`@@ -51,4 +51,8 @@ protected void doFilterInternal(`
`51`	`51`	`}`
`52`	`52`	`filterChain.doFilter(request, response);`
`53`	`53`	`}`
	`54`	`+`
	`55`	`+ private boolean csrfDoubleSubmitTokenIsValid(HttpServletRequest request, JwtToken token) {`
	`56`	`+ return request.getHeader("X-CSRF-TOKEN").equals(token.csrfToken());`
	`57`	`+ }`
`54`	`58`	`}`