Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support CSRF black/white listing on URL params #123

Open
mjy78 opened this issue May 16, 2018 · 2 comments
Open

Support CSRF black/white listing on URL params #123

mjy78 opened this issue May 16, 2018 · 2 comments

Comments

@mjy78
Copy link

mjy78 commented May 16, 2018

We have a scenario where our API is consumed by an Angular app using JWT with cookies for authentication and as such we have CSRF enabled.

Our server also supports validating the access token if provided as a url query parameter. We'd like to be able to blacklist (not perform CSRF) API calls when the access token is provided this way. This will enable us to expose the same API for REST clients.

Could the CSRF blacklist/whitelist feature compare against the req.originalUrl instead of just req.path?

At present it performs a simple indexOf comparison the request to ensure the path starts with the blacklist/whitelist entry. Ideally this could support a regex comparison against the req.originalUrl.

This way we could bypass CSRF when the url contains a JWT access token in the query string by specifying something like:

{
  csrf: {
    angular: true,
    blacklist: '\\[?&]access_token=[A-Za-z0-9\\-_=]+\\.[A-Za-z0-9\\-_=]+\\.[A-Za-z0-9\\-_=]+'
  }
}
@linkRace
Copy link
Contributor

Hi @mjy78 ,
As I understand, you'd like two features added:

  • option to compare against req.originalUrl instead of req.path
  • regex option as opposed to string/array
    Can you confirm?

@mjy78
Copy link
Author

mjy78 commented Jul 31, 2018

That's correct.

Although we've since worked around the need for this feature by initialising lusca with csrf: false, then defining a separate middleware that explicitly calls lusca.csrf, but only after checking that the query string doesn't contain the access token...

var csrf = lusca.csrf({
  angular: true
});

app.use(lusca({
  csrf: false, // Only for web based (AngularJS app) clients - see conditional middleware below
  xframe: 'SAMEORIGIN',
  hsts: {
    maxAge: 31536000, //1 year, in seconds
    includeSubDomains: true,
    preload: true
  },
  xssProtection: true
}));

// To allow non-browser clients to make use of the API without CSRF validation complicating things, 
// we don't perform CSRF validation whenever the "access_token" query parameter is included in
// the url.
var conditionalCSRF = function (req, res, next) {
  if (!req.query.access_token) {
    csrf(req, res, next);
  } else {
    next();
  }
}

app.use(conditionalCSRF);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@linkRace @mjy78