-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replacing the CSRF package(CSURF) with Double CSRF package #420
Replacing the CSRF package(CSURF) with Double CSRF package #420
Conversation
@@ -0,0 +1,24 @@ | |||
import { Injectable, NestMiddleware } from '@nestjs/common' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create a new middleware support of double csrf package
use(req: Request, res: Response, next: NextFunction) { | ||
const { doubleCsrfProtection } = doubleCsrf({ | ||
getSecret: () => this.configService.get<string>('server.csrfSecret', { infer: true }), | ||
cookieName: '_Secure-ccm.x-csrf-token', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a Cookie name with _Secure instead of _Host as per Authors recommendation. See the PR description for reasoning
.github/workflows/ccm.yml
Outdated
@@ -6,6 +6,7 @@ on: | |||
branches: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be removed
9051a13
to
90afaff
Compare
735ee0c
to
dbf8b3c
Compare
d20d2ef
to
b117b3e
Compare
This PR is up to date with the recent features commits |
Following the local testing steps you listed, everything behaves as expected. Removing CSRF token in the API causes errors. Code looks good, only thing left is the three codacy errors of unused imports, if you want to clear those warnings. |
I looked at those error, I don't think those warning are accurate. So I don't know why that is warning. So I left as it For example:
APP_FILTER is used in the |
I see, that's a little strange. Ok otherwise this looks good I'll approve |
@jaydonkrooss , Thanks for the review. I will let @jonespm take a look as well before merging it. |
I'm not sure if it's possible to fix this check with Codacy but I think we could add to ignore it in the .eslintrc.js. or declaring everything that's a global. That's probably a separate issue. I'm not sure if there's a better workaround that works as I haven't configured this. |
I'm not going to be able to re-test this and will rely on Jaydons feedback. It looks like you've done the most research on this and I don't know how it could have been done any differently here. |
In this example I described above the variable is being used in the file. So I don't know having no-unused-vars: off would do anything. Plus I did not configure the Codacy for it. WHen I looked at it I see ESlint and ESlint(Old) and bunch of other linters (which I never heard of) may be added by default by Codacy. Sam did this and don't know how much he configured and/or added by COdacy. I need to comeback to Codacy configuration CCM. I will create an issue but will deal with it separately. |
Thanks @jonespm for considering for review. I will take that as approval from you if you don't want to click the approve button. This PR has being a learning curve so I wanted more people looking at it and aware of the implementation. |
@pushyamig I think Codacy is also in "Configuration file" mode and also using that file. But Sam set it up and I haven't tested or tried to change anything. But I also see what you mean about it being used. Maybe need to use the plugin it suggests |
I looked at the Myla Codacy configuration for FE seems very similar to what CCM has https://app.codacy.com/gh/tl-its-umich-edu/my-learning-analytics/patterns/list I would assume we might need to come up with the approach for Codacy configuration for FE. Both project has linter configured as part of the code and VSCode integration. So Don't know how much is same/different with either of these configuration. |
@@ -7,7 +7,6 @@ on: | |||
- main |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing this ccm.yml changes before merging
e30cb1c
into
tl-its-umich-edu:2024-03-01-dep-update
Fixes #410
(Test Plan is updated in the Issue #410
Latest Build from this PR https://github.com/pushyamig/canvas-course-manager-next/actions)
The approach taken here is the double csrf library is setting the
CSRF token cookie
(with hash) and also HttpOnly flag is enabled so that FE code doesn't read the cookie. TheCSRF token
is then passed in as part of GET call as response object (As lib author recommendation) and stored in the react state (As props). The token is then sent with POST/PUT/DELETE call and double csrf validate it and then those https calls are processed. please refer to step#4 for the example implementation..env
have a property added calledCSRF_SECRET
. For local development if is not set it has default. This is something in line withTOKEN_SECRET
and 'COOKIE_SECRET`. Non-Prod and Prod will always be set with this tokenNote: For Local development you will see 2 call in Network as this is by Design when running React In StrictMode, So you won't see this behavior in CCMDev or Prod
https://stackoverflow.com/questions/72238175/why-useeffect-running-twice-and-how-to-handle-it-well-in-react