Implement endpoint csrf protection

[martijn-tao]

This PR now contains all the work for:
https://oat-sa.atlassian.net/browse/TAO-7304
https://oat-sa.atlassian.net/browse/TAO-7305
https://oat-sa.atlassian.net/browse/TAO-7306

Description

7304 (Backend part):

• Added a new Token model that provides a token object
• Token service can now generate a pool of tokens that will be used by the frontend
• Validation of an endpoint is done by adding a try { $this->validateCsrf(); } catch(\common_exception_Unauthorized $e) { ... } block
• CSRF tokens in forms use a hidden element. This gets added by passing [FormContainer::CSRF_PROTECTION_OPTION => true] to the form options.
• Since the csrf for forms is added as an element, validation is part of the form validation, meaning that a simple $form->isValid() check offers protection.
• A detailed log entry will be added if CSRF validation fails.

7305 (Frontend part):

• added core/request module, mixing old functionality of core/dataProvider/request and qtiServiceProxy
• converted core/dataProvider/request to thin wrapper returning the response body
• converted taoQtiTest/runner/proxy/qtiServiceProxy to work with this
• converted core/tokenHandler to manage a store of multiple tokens (fully async, Promise-based)
• added core/tokenStore to encapsulate the store functionality (fully async, Promise-based)
• used the core/store backend to ensure a single source of truth for the token pool
• async unit tests for all these modules

7306 (Implementation in TAO):

• Backend token pool changed to allow Instance Forms to keep their old method of protection (single token rendered by PHP as hidden input field)
• Removed cookie-based token implementation, and switched to new core/request with tokens, for the following endpoints:

tao/Users/delete
tao/Users/lockUser
tao/Users/unlockUser
tao/RdfController/addInstance
tao/RdfController/deleteAll
tao/RdfController/deleteClass
tao/RdfController/deleteResource
taoGroups/Groups/addSubClass
taoGroups/Groups/cloneInstance
taoGroups/Groups/delete (deleteResource)
taoTestTaker/TestTaker/delete (deleteResource)
taoItems/QtiCreator/createItem

A more comprehensive view of protected forms and endpoints is being documented here:
https://docs.google.com/spreadsheets/d/1TaXQDKcemsIjbWPzCvzyLsU1_EyH8MJ3vKW_-r4iZz0

To test:

1. Checkout all branches
2. Use TAO BackOffice extensively, creating and deleting Items, Groups, Test-Takers, Users, etc.
3. Try to re-run the same requests your browser is making, with old headers or removed headers
4. Run some TAO deliveries

Related PRs:

• Updated CSRF implementation extension-tao-test#279
• Updated CSRF implementation extension-tao-group#100
• Updated CSRF implementation extension-tao-testtaker#126
• Updated CSRF implementation extension-tao-item#361
• Updated CSRF implementation extension-tao-devtools#149
• Updated CSRF implementation extension-tao-testcenter#126
• Updated CSRF implementation extension-tao-proctoring#681
• Updated CSRF implementation extension-tao-delivery-rdf#254
• Updated CSRF implementation oat-sa-archived/extension-tao-itemhtml#65
• Updated CSRF implementation extension-tao-mediamanager#138
• [WIP] - Replaced old CSRF token protection with new method extension-tao-testqti#1465
• Implement endpoint csrf protection extension-tao-itemqti#1274
• [WIP] - Replaced old CSRF token protection with new method extension-tao-dac-simple#87

[codeclimate]

The PR diff size of 6147 lines exceeds the maximum allowed for the inline comments feature.

[codeclimate]

The PR diff size of 6278 lines exceeds the maximum allowed for the inline comments feature.

[codeclimate]

The PR diff size of 6278 lines exceeds the maximum allowed for the inline comments feature.

[krampstudio]

Any reason why the HTTP response has a 412 status when the token is invalid ? I'd have expected a 403

[oatymart]

Any reason why the HTTP response has a 412 status when the token is invalid ? I'd have expected a 403

@martijn-tao @siwane could you comment? I didn't catch the exact details of why we changed it.

[krampstudio]

for my own understanding, what the purpose of removing the tokens during an update ?

[krampstudio]

Still very minor issues regarding the source code, but the overall looks very good !

I've made some testing of the back-office and the test runner which looks working as expected.
I've only encountered one issue on taoDacSimple, which is most likely related to the call of the request itself (so the error belong to that extension) : oat-sa/extension-tao-dac-simple#87 (review)

[krampstudio]

And by the way the status code 403 vs 412 should also sorted out before merging

[codeclimate]

The PR diff size of 6257 lines exceeds the maximum allowed for the inline comments feature.

[krampstudio]

Code is ok now from my perspective.
I didn't found any other issue

[martijn-tao]

And by the way the status code 403 vs 412 should also sorted out before merging

@krampstudio Done, Changed the status to 403

[codeclimate]

The PR diff size of 6257 lines exceeds the maximum allowed for the inline comments feature.

[codeclimate]

The PR diff size of 6257 lines exceeds the maximum allowed for the inline comments feature.

[codeclimate]

The PR diff size of 6257 lines exceeds the maximum allowed for the inline comments feature.