Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include csrf token in form login request #201

Closed
Artur- opened this issue Apr 9, 2021 · 4 comments · Fixed by #214
Closed

Include csrf token in form login request #201

Artur- opened this issue Apr 9, 2021 · 4 comments · Fixed by #214
Labels
acceptance criteria enhancement New feature or request Impact: High

Comments

@Artur-
Copy link
Member

Artur- commented Apr 9, 2021

When using Vaadin 20+ with Spring Security, the Spring CSRF token is included as a meta tag on the page. This needs to be included in a form login request to the standard Spring Security login processor for login to work. What would be a good way to integrate this so especially the Java version LoginOverlay would automatically include the CSRF token (if available) when using e.g. setAction("login");

The information is available as

<meta name="_csrf_parameter" content="_csrf">
<meta name="_csrf_header" content="X-CSRF-TOKEN">
<meta name="_csrf" content="71dac59f-34ee-4b31-b478-2891cbd0c55d">

When doing a form post, it should be used as

<input type="hidden" name="_csrf" value="71dac59f-34ee-4b31-b478-2891cbd0c55d">

or passed as a header

X-CSRF-TOKEN: 71dac59f-34ee-4b31-b478-2891cbd0c55d
@vlukashov vlukashov added enhancement New feature or request Impact: High labels Apr 13, 2021
Artur- added a commit that referenced this issue Apr 14, 2021
@Artur-
Automatically include an available CSRF token in login request
7ada1bc 
Fixes #201
@Artur- Artur- mentioned this issue Apr 14, 2021
Merged
9 tasks
@rolfsmeds
Copy link
Contributor

Description

Include CSRF token in form login request

Use cases

As a developer
I want the CSRF token to be automatically included in the login request passed by the Login component
So that I can use Login with Spring Security

Acceptance criteria

  • See description of passing the token as a hidden form field or request header in the original issue description.
  • The token should be included automatically when using CSRF
  • Mention this feature in the Technical section of Login component docs https://vaadin.com/docs/latest/ds/components/login

General criteria

  • UX/DX tests in Alpha
  • Documentation:
  • How to test?
  • Limitations:

web-padawan pushed a commit that referenced this issue Apr 27, 2021
@Artur- @web-padawan
Automatically include an available CSRF token in login request
eab6b40 
Fixes #201
@knoobie
Copy link
Contributor

knoobie commented Jul 9, 2021

@Artur- you mentioned some days ago in discord that once CSRF is used, the default GET request to /logout won't logout the user anymore. Now that e.g. LoginOverlay supports CSRF and some don't have to disable it.. shouldn't there be a Logout Component which sends a POST request to /logout created by Vaadin or should this limitation be mentioned somewhere?

@Artur-
Copy link
Member Author

Artur- commented Jul 9, 2021

If you go to https://start.vaadin.com/ and enable authentication, you have an AuthenticatedUser.logout() method you can use in Flow for logging out and a logout function exported for Fusion. Is there something else needed?

@knoobie
Copy link
Contributor

knoobie commented Jul 9, 2021

Thanks for the information. That should be enough :) I haven't seen the latest additions to start.vaadin.com - looks really interesting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acceptance criteria enhancement New feature or request Impact: High
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: include an available CSRF token in login request vaadin/web-components
4 participants
@Artur- @knoobie @rolfsmeds @vlukashov