Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT認証が必要な領域でも、認証チェックが無効になっているURLはCSRF制限をかけたい #2302

Closed
seto1 opened this issue Jun 7, 2023 · 4 comments
Closed

JWT認証が必要な領域でも、認証チェックが無効になっているURLはCSRF制限をかけたい #2302

seto1 opened this issue Jun 7, 2023 · 4 comments
Labels
Adjusting 調整中
Milestone
5.0.2

Comments

@seto1
Copy link
Collaborator

seto1 commented Jun 7, 2023

概要

コントローラーでallowUnauthenticatedを設定している状態
JWT認証が必要な領域でログイン・未ログインどちらでもアクセス可能なAPIが存在する場合に制限が必要

baserCMS version : 5.0.0
@seto1
Copy link
Collaborator Author

seto1 commented Jun 7, 2023
edited

ここを外してどうなるか要確認

https://github.com/baserproject/basercms/blob/dev-5/plugins/baser-core/src/Plugin.php#L312

// 認証できていない場合、領域がJwt認証前提の場合はスキップ
if($authSetting['type'] === 'Jwt') return true;

影響あるのはログインだが、スキップ設定されているので問題ないはず

basercms/plugins/baser-core/src/Plugin.php

Line 304 in 14c527a

if(in_array($request->getPath(), $this->getSkipCsrfUrl())) return true;

basercms/plugins/baser-core/config/setting.php

Line 354 in 14c527a

'skipCsrfUrlInPostApi' => [

@ryuring
Copy link
Collaborator

ryuring commented Jun 7, 2023

@seto1 こういう文献もあるんですがどうですかね?
https://qiita.com/mejileben/items/ae7b346f0fc4a59101b5

@ryuring ryuring added the Adjusting 調整中 label Jun 7, 2023
@seto1
Copy link
Collaborator Author

seto1 commented Jun 8, 2023

@ryuring Authorizationヘッダが必要な場合はCSRF対策用のトークンは不要だと思いますが、allowUnauthenticatedの対象の場合はAuthorizationヘッダが無くてもアクセスできちゃうんですよね。

@ryuring
Copy link
Collaborator

ryuring commented Jun 8, 2023

@seto1 あああ、なるほどケースが違うのか。理解できました。

seto1 added a commit to seto1/basercms that referenced this issue Jun 16, 2023
@seto1
fix baserproject#2302 Jwt認証領域でも未認証の場合はCSRFチェックをスキップしない
383b6ba
seto1 added a commit to seto1/basercms that referenced this issue Jun 16, 2023
@seto1
fix baserproject#2302 Jwt認証領域でも未認証の場合はCSRFチェックをスキップしない
d2c2020
@seto1 seto1 mentioned this issue Jun 16, 2023
Merged
@ryuring ryuring added this to the 5.0.2 milestone Jun 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Adjusting 調整中
Projects
None yet
Milestone
5.0.2
Development

No branches or pull requests
2 participants
@ryuring @seto1