Support XSRF mitigations

[wwwillchen]

• Referer checking
• Anti-XSRF tokens

References:

• https://flask-seasurf.readthedocs.io/en/latest/
• https://github.com/GoogleCloudPlatform/flask-talisman

Considerations:

• Make sure to configure flask.session cookies to be secure and httponly
• How do I expire an XSRF token?

[wwwillchen]

Implementation:

• Generate a CSRF token and set it on the Flask session
• Emit the CSRF token to Angular (using HTTP header?)
• Have Angular app POST the CSRF token
• Flask server app checks the CSRF token

Notes:

• Use Tink-Python to generate secret key and tokens

from flask import Flask, session

app = Flask(__name__)
app.secret_key = 'your-secret-key'  # Use tink? Or does this need to be same across apps?

@app.before_request
def set_csrf_token():
    if 'csrf_token' not in session:
        session['csrf_token'] = generate_csrf_token()

[wwwillchen]

https://security.stackexchange.com/questions/158045/is-checking-the-referer-and-origin-headers-enough-to-prevent-csrf-provided-that

[wwwillchen]

Right now, the origin check seems to be adequate as it hasn't caused any issues after the initial implementation PRs. Doing CSRF tokens could cause some usability issues as the tokens could expire in the middle of a Mesop user session which would be a bad user experience. Closing this as done.