Master csrf token incorrectly returned as page token #262
Description
Discussed in #257
Originally posted by musaka872 March 27, 2024
Hi,
I'm trying to integrate csrfguard 4.3.0 in our project.
I've configured it to use per-session tokens and not per-page tokens. But when I receive the token in the response header it is returned as page token in this form {pageTokens:{"/page/uri":"csrf-token"}} and then when I send this token in a subsequent request csrfguard compares {pageTokens:{"/page/uri":"csrf-token"}} to "csrf-token" and it fails.
I debugged CsrfGuardFilter and in handleSession method we have:
private void handleSession(final HttpServletRequest httpServletRequest, final InterceptRedirectResponse interceptRedirectResponse, final FilterChain filterChain,
final LogicalSession logicalSession, final CsrfGuard csrfGuard) throws IOException, ServletException {
final String logicalSessionKey = logicalSession.getKey();
if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {
filterChain.doFilter(httpServletRequest, interceptRedirectResponse);
} else {
logInvalidRequest(httpServletRequest);
}
final String requestURI = httpServletRequest.getRequestURI();
final String generatedToken = csrfGuard.getTokenService().generateTokensIfAbsent(logicalSessionKey, httpServletRequest.getMethod(), requestURI);
CsrfGuardUtils.addResponseTokenHeader(csrfGuard, httpServletRequest, interceptRedirectResponse, new TokenTO(Collections.singletonMap(requestURI, generatedToken)));
}
In generateTokenIfAbsent it checks whether the per-page or master token should be generated and generates the correct master token. But then as you can see when TokenTO is created the master token is passed as per-page token and it is send as such in the response header.
Is this a bug or I'm missing something?
I don't want to parse the response header to retrieve the "csrf-token" that csrfguard returns.
Best regards,
Martin