[OAS] Add support for `kbn-xsrf`

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.57k stars 8.09k forks source link

[OAS] Add support for `kbn-xsrf` #186876

Closed maryam-saeidi closed 1 month ago

maryam-saeidi commented 2 months ago

Summary

While working on Zod support PoC, I noticed that we don't add the kbn-xsrf header parameter automatically.

This header is not always required; for example, GET /api/alerting/rules/_find API works without providing this header but PUT /api/alerting/rule/046c0d4f needs this header.

elasticmachine commented 2 months ago

Pinging @elastic/kibana-core (Team:Core)

pgayvallet commented 2 months ago

This header is not always required;

Yeah, it's even tricker than that: non "unsafe methods" (so basically anything aside from GET and OPTION) require either the kbn-xsrf OR the kbn-version header.

https://github.com/elastic/kibana/blob/6fc0d971dd00b83964093aec8ad013d77b2fd5e2/packages/core/http/core-http-server-internal/src/lifecycle_handlers.ts#L36-L41

So technically, none of those 2 are really required, but at least one of them should be present.

But for OAS generation we could probably just make kbn-xsrf mandatory, and automatically add it during generation for nonGET nonOPTION endpoints.

WDYT @jloleysens?

jloleysens commented 2 months ago

But for OAS generation we could probably just make kbn-xsrf mandatory, and automatically add it during generation for nonGET nonOPTION endpoints.

Yeah this is exactly what I had in kind. There is an option to also make xsrf header not required that should probably also be respected when generating oas:

https://github.com/elastic/kibana/blob/c47f4833230ac0c14af5c4669d68ab41ceac4dd6/packages/core/http/core-http-server/src/router/route.ts#L136