Patch 14.1.x 49 data protection include csrf token in request header 1 (

#73) * add CSRF token to request headers including GET requests (#49)
Xyna-Factory · Oct 12, 2023 · 5ebff06 · 5ebff06
1 parent 1f6110c
commit 5ebff06
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/auth/auth-session.ts b/auth/auth-session.ts
@@ -24,6 +24,8 @@ export interface SessionInfo {
     rights: string[];
     /** session id */
     sessionId: string;
+    /** session token */
+    sessionToken: string;
     /** time in milliseconds since session start */
     startTime: number;
     /** time in milliseconds since last session interaction */

diff --git a/auth/auth.routing.ts b/auth/auth.routing.ts
@@ -21,6 +21,7 @@ import { RouterModule, Routes } from '@angular/router';
 import { AuthComponent } from './auth.component';
 import { AuthGuard } from './auth.guard';
 import { AuthInterceptor } from './auth.interceptor';
+import { CsrfInterceptor } from './csrf.interceptor';
 
 
 const root = 'Authenticate';
@@ -38,5 +39,6 @@ export const AuthRoutingModules = [
 
 export const AuthRoutingProviders = [
     { provide: HTTP_INTERCEPTORS, useClass: AuthInterceptor, multi: true },
+    { provide: HTTP_INTERCEPTORS, useClass: CsrfInterceptor, multi: true },
     AuthGuard
 ];
diff --git a/auth/csrf.interceptor.ts b/auth/csrf.interceptor.ts
@@ -0,0 +1,42 @@
+/*
+ * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ * Copyright 2023 Xyna GmbH, Germany
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ */
+import { HttpEvent, HttpHandler, HttpHeaders, HttpInterceptor, HttpRequest } from '@angular/common/http';
+import { Injectable } from '@angular/core';
+
+import { Observable } from 'rxjs';
+import { AuthEventService } from './auth-event.service';
+
+
+@Injectable()
+export class CsrfInterceptor implements HttpInterceptor {
+
+    constructor(readonly auth: AuthEventService) {
+    }
+
+    /**
+     * Write a CSRF token into each HTTP request header
+     */
+    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
+        const token = this.auth.sessionInfoSubject?.value?.sessionToken;
+        if (token) {
+            const headers = new HttpHeaders({'Xyna-CSRF-Token': token});
+            req = req.clone({ headers: headers });
+        }
+        return next.handle(req);
+    }
+}