-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow modules to override CSRF protection. #1296
Conversation
Useful for Web APIs and all other kinds of things. API changes: - Added public CHTTPSock::GetURI() method - Added public CModule::ValidateWebRequestCSRFCheck() method - Made CWebSock::GetCSRFCheck() method public so it can be accessed from CModule - Added public CWebSock::ValidateCSRFCheck() method Other changes: - Added a Sample Web API module (modules/samplewebapi.cpp) and a simple web form with no CSRF check. Implements feature request znc#1180.
Cheers @tzvetkoff |
@@ -655,8 +655,8 @@ CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI, | |||
// 1. they obviously know the password, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment becomes outdated.
Please add some tests. I don't quite understand why existing |
I can still think of use-cases where I want to require cookie-based auth but not require a CSRF token. For example, a JSON-based API used with frontend JavaScript. CSRF isn't necessarily a worry if a In this circumstance, requiring a CSRF value to be submitted is just additional hassle. Let's not conflate authentication and cross-site request forgery tokens. There are cases (e.g. a "contact us" form) where it's perfectly reasonable for a developer to want to apply a CSRF token to prevent other users from being made to submit spam via the contact form from another site. This is completely independent of any form of authentication mechanism. |
Yes, that's a good example, thanks. |
@DarthGandalf @tzvetkoff I've updated this PR against the latest https://github.com/lol768/znc/commits/module_csrf_override What's the best way forward, can you merge my commits in @tzvetkoff? |
@lol768 you can create PR yourself if @tzvetkoff doesn't merge your commits to this PR. |
Cheers @DarthGandalf, will do so if the commits aren't added in a few days. @tzvetkoff If I do end up adding my own PR, I'll split the bounty amount on work done and PayPal you the bigger share of it. |
PR added to #1327 |
Allow modules to override CSRF protection.
Useful for Web APIs and all other kinds of things.
API changes:
- Added public CHTTPSock::GetURI() method
- Added public CModule::ValidateWebRequestCSRFCheck() method
- Made CWebSock::GetCSRFCheck() method public so it can be accessed
from CModule
- Added public CWebSock::ValidateCSRFCheck() method
Other changes:
- Added a Sample Web API module (modules/samplewebapi.cpp) and a
simple web form with no CSRF check.
Implements feature request #1180.