search

SolutionGuidance / psm

Welcome to the Medicare/Medicaid Provider Enrollment Screening Portal
http://projectpsm.org/
Other
26 stars 18 forks source link

Fix anti-CSRF token on login page #1072

Closed jasonaowen closed 6 years ago

jasonaowen commented 6 years ago

This is a very early and incomplete effort to fix the anti-CSRF tokens expiring on the login page.

From the Spring docs:

A common technique to protect the log in form is by using a JavaScript function to obtain a valid CSRF token before the form submission.

This implements the REST endpoint that provides such a token. I have not yet written the client-side JavaScript that overrides the default form behavior, fetches the token, and then includes it in the form submission; that would be necessary to complete this feature.

I open this in the hope that someone will be able to complete it, but I'm afraid it will not be me. If this is too partial to be useful, please close the PR.

Issue #1032 Prevent stale anti-CSRF tokens on login page

frankduncan commented 6 years ago

The javascript has been added. Test by going to login page, then restarting the app, and then attempting to login. Also can regression test by just logging in :)

Bonus points for logging in without javascript to see the invalid csrf token if you've restarted the app, or success if you haven't.

jasonaowen commented 6 years ago

@frankduncan nicely done! :+1: (I can't approve my own PR, and I haven't tested it, anyway)

Please feel free to squash our changes together, and include the other author with Co-authored-by:; I'd rather my WIP commit didn't get merged as-is!

frankduncan commented 6 years ago

Thanks for the review! I think I've handled everything :)

frankduncan commented 6 years ago

Fixed!