This PR changes the way CSRF token (and cookie) are generated, moving from a URLSafeSerializer to a URLSafeTimedSerializer.
Now CSRF tokens are valid for 30 seconds, after that they would throw bad signature exception.
Now invocation of the /csrf token always returns (and sets as an expiring cookie) a new token.
How Has This Been Tested?
unit tests
e2e
manual tests
PR Quality Checklist
[x] I added tests to new or existing code
[ ] I removed hardcoded strings and used our i18n solution instead (see here)
[x] I made sure no sensitive info gets logged at any time in the codebase (see here) (e.g. no user info or details, no stacktraces, etc.)
[ ] I checked that infrastructure/update_infrastructure.sh runs without any error
[x] I checked that npm run build builds without any error
[x] I checked that clusters are listed correctly
[x] I checked that a new cluster can be created (config is produced and dry run passes)
[x] I checked that login and logout work as expected
Description
This PR changes the way CSRF token (and cookie) are generated, moving from a
URLSafeSerializerto aURLSafeTimedSerializer. Now CSRF tokens are valid for 30 seconds, after that they would throw bad signature exception. Now invocation of the/csrftoken always returns (and sets as an expiring cookie) a new token.How Has This Been Tested?
PR Quality Checklist
i18nsolution instead (see here)npm run buildbuilds without any errorIn order to increase the likelihood of your contribution being accepted, please make sure you have read both the Contributing Guidelines and the Project Guidelines
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.