Provide a CSRF prevention feature

[sberyozkin]

Description
CSRF prevention can be difficult to do correctly for the regular Quarkus applications. Some extensions such as quarkus-oidc do some work around it, with some users might be trying CORS to minimize the risks (which is deemed insufficient, search for CSRF CORS).

Pedro @pedroigor pointed out that it would be good if Quarkus could offer a built-in feature to help with the CSRF prevention

Implementation ideas
Perhaps we can use some existing library or do our own solution, and provide quarkus-http-csrf-prevention. Or quarkus-http-attack-prevention which will grow starting from the CSRF prevention and then cover more at the later stage. Or perhaps reuse some existing Undertow and Vertx features

CC @pedroigor @stianst @stuartwdouglas @darranl

[kekbur]

I created a cookie based CSRF security filter: https://gist.github.com/kekbur/b6fa75cfe52846a08143703ec2cf13e0

It has some caveats, but it should still be useful to some people.

• Only supports the content type application/x-www-form-urlencoded.
• The CSRF token must be present in the first x bytes of the request entity.

Using it is exceedingly simple: just include the class in your project and add the following input element to every form:

<input type="hidden" name="{inject:csrf.parameterName}" value="{inject:csrf.token}" />

[sberyozkin]

@kekbur I've started prototyping a RestEasy Reactive filter based on your code (thanks for sharing it).

I can see how it can be made quite generic and configurable. The problem I'm thinking about is one has to buffer the stream if no marking is supported and I doubt it will be supported.

I wonder would be simpler to have

@Path("service")
public class Service {

   @POST
   void post(@FormParam("csrf-token-field") String csrfTokenField, @CookieParam("csrf") Cookie csrfCookie) {
   }
}

and just compare it. I guess it can be made configurable and let the filter skip the actual comparison