Skip to content

Commit

Permalink
Add CSRF token to all internal session-authenticated API requests.
Browse files Browse the repository at this point in the history
  • Loading branch information
@BusterNeece
BusterNeece committed Aug 27, 2021
1 parent 95a9b8c commit 5a2f1a4
Show file tree
Hide file tree
Showing 50 changed files with 17,890 additions and 7,952 deletions.
15 changes: 15 additions & 0 deletions CHANGELOG.md
View file
Expand Up @@ -7,8 +7,23 @@ release channel, you can take advantage of these new features and fixes.

## Code Quality/Technical Changes

- A number of security fixes are being incorporated into the software as of this version. See below for details.

## Bug Fixes

## Security Fixes

- Session cookies are now marked as HTTP-only, avoiding possible use by custom JavaScript that may be injected into a
given page.

- If the "Always Use HTTPS" setting is enabled, session cookies will be sent as "secure only" as well.

- API calls will now either require API key authentication _or_ both a current active login session and a unique
identifier; if you're calling the API externally, you should _always_ use a generated API key and not count on the
user's existing session.

-

---

# AzuraCast 0.14.1 (Aug 22, 2021)
Expand Down
20 changes: 16 additions & 4 deletions config/assets.php
View file
Expand Up @@ -2,6 +2,8 @@

use App\Environment;
use App\Http\ServerRequest;
use App\Middleware\Auth\ApiAuth;
use App\Session\Csrf;
use Psr\Http\Message\ServerRequestInterface as Request;

/**
Expand Down Expand Up @@ -40,19 +42,29 @@
],
],

'vue-translations' => [
'vue-base' => [
'order' => 4,
'files' => [
'js' => [
[
'src' => 'dist/VueTranslations.js',
'src' => 'dist/VueBase.js',
],
],
],
'inline' => [
'js' => [
function (Request $request) {
return 'VueTranslations.default(App.locale);';
$csrfJson = 'null';

$csrf = $request->getAttribute(ServerRequest::ATTR_SESSION_CSRF);
if ($csrf instanceof Csrf) {
$csrfToken = $csrf->generate(ApiAuth::API_CSRF_NAMESPACE);
$csrfJson = json_encode($csrfToken, JSON_THROW_ON_ERROR);
}

return <<<JS
VueBase.default(App.locale, ${csrfJson});
JS;
},
],
],
Expand All @@ -76,7 +88,7 @@ function (Request $request) {

'vue-component-common' => [
'order' => 3,
'require' => ['vue', 'vue-translations'],
'require' => ['vue', 'vue-base'],
'files' => [
'js' => [
[
Expand Down
1 change: 0 additions & 1 deletion config/events.php
View file
Expand Up @@ -83,7 +83,6 @@ function (Event\BuildRoutes $event) {
$app->add(Middleware\WrapExceptionsWithRequestData::class);

$app->add(Middleware\EnforceSecurity::class);
$app->add(Middleware\GetCurrentUser::class);

// Request injection middlewares.
$app->add(Middleware\InjectRouter::class);
Expand Down
25 changes: 18 additions & 7 deletions config/routes.php
View file
@@ -1,13 +1,24 @@
<?php

use App\Middleware;
use Slim\App;
use Slim\Routing\RouteCollectorProxy;

return function (App $app) {

call_user_func(include(__DIR__ . '/routes/admin.php'), $app);
call_user_func(include(__DIR__ . '/routes/api.php'), $app);
call_user_func(include(__DIR__ . '/routes/base.php'), $app);
call_user_func(include(__DIR__ . '/routes/public.php'), $app);
call_user_func(include(__DIR__ . '/routes/stations.php'), $app);
return static function (App $app) {
$app->group(
'',
function (RouteCollectorProxy $group) {
call_user_func(include(__DIR__ . '/routes/admin.php'), $group);
call_user_func(include(__DIR__ . '/routes/base.php'), $group);
call_user_func(include(__DIR__ . '/routes/public.php'), $group);
call_user_func(include(__DIR__ . '/routes/stations.php'), $group);
}
)->add(Middleware\Auth\StandardAuth::class);

$app->group(
'',
function (RouteCollectorProxy $group) {
call_user_func(include(__DIR__ . '/routes/api.php'), $group);
}
)->add(Middleware\Auth\ApiAuth::class);
};
3 changes: 1 addition & 2 deletions config/routes/admin.php
View file
Expand Up @@ -3,10 +3,9 @@
use App\Acl;
use App\Controller;
use App\Middleware;
use Slim\App;
use Slim\Routing\RouteCollectorProxy;

return function (App $app) {
return static function (RouteCollectorProxy $app) {
$app->group(
'/admin',
function (RouteCollectorProxy $group) {
Expand Down
3 changes: 1 addition & 2 deletions config/routes/api.php
View file
Expand Up @@ -5,10 +5,9 @@
use App\Http\Response;
use App\Http\ServerRequest;
use App\Middleware;
use Slim\App;
use Slim\Routing\RouteCollectorProxy;

return function (App $app) {
return static function (RouteCollectorProxy $app) {
$app->group(
'/api',
function (RouteCollectorProxy $group) {
Expand Down
3 changes: 1 addition & 2 deletions config/routes/base.php
View file
Expand Up @@ -2,10 +2,9 @@

use App\Controller;
use App\Middleware;
use Slim\App;
use Slim\Routing\RouteCollectorProxy;

return function (App $app) {
return static function (RouteCollectorProxy $app) {
$app->get('/', Controller\Frontend\IndexAction::class)
->setName('home');

Expand Down
3 changes: 1 addition & 2 deletions config/routes/public.php
View file
Expand Up @@ -2,10 +2,9 @@

use App\Controller;
use App\Middleware;
use Slim\App;
use Slim\Routing\RouteCollectorProxy;

return function (App $app) {
return static function (RouteCollectorProxy $app) {
$app->get('/sw.js', Controller\Frontend\PWA\ServiceWorkerAction::class)
->setName('public:sw');

Expand Down
3 changes: 1 addition & 2 deletions config/routes/stations.php
View file
Expand Up @@ -5,10 +5,9 @@
use App\Http\Response;
use App\Http\ServerRequest;
use App\Middleware;
use Slim\App;
use Slim\Routing\RouteCollectorProxy;

return function (App $app) {
return static function (RouteCollectorProxy $app) {
$app->group(
'/station/{station_id}',
function (RouteCollectorProxy $group) {
Expand Down

0 comments on commit 5a2f1a4

Please sign in to comment.