Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-25903

CSRF Token for Platform

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.3
    • Component/s: Web Common
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      Activation

      To activate CSRF Token verification, use the following configuration:

        <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
          <property name="nuxeo.csrf.token.enabled">true</property>
        </extension>
      

      When this is activated, all clients accessing Nuxeo will need to get a token and provide it on all requests that are not GET/HEAD.

      Note that even when the CSRF Token is not activated, other CSRF checks not using a token are still being done (using the Origin/Referer headers).

      Getting the token initially

      The client must use the following request with the header CSRF-Token: fetch:

      GET /nuxeo
      CSRF-Token: fetch
      

      The response will contain the token in the header:

      200 OK
      CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh
      

      Passing the token

      Then on every request that is not a GET/HEAD (so this applies to POST/PUT/DELETE/etc.) the client must provide the same token, either in the CSRF-Token request header or in the csrf-token request parameter:

      POST /nuxeo/something
      CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh
      

      or

      POST /nuxeo/something?csrf-token=uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh
      

      Missing, expired or invalid token

      If the token is missing, expired or invalid, the client will get a 403 Forbidden error, and a CSRF-Token: invalid header will be set:

      403 Forbidden
      CSRF-Token: invalid
      

      Skipping certain endpoints

      Some authentication endpoints need to be available with a POST without CSRF token checks. This can be done using for example:

        <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
          <property name="nuxeo.csrf.token.skip" list="true">/login</property>
        </extension>
      
      Show
      Activation To activate CSRF Token verification, use the following configuration: <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "nuxeo.csrf.token.enabled" > true </property> </extension> When this is activated, all clients accessing Nuxeo will need to get a token and provide it on all requests that are not GET/HEAD. Note that even when the CSRF Token is not activated, other CSRF checks not using a token are still being done (using the Origin/Referer headers). Getting the token initially The client must use the following request with the header CSRF-Token: fetch : GET /nuxeo CSRF-Token: fetch The response will contain the token in the header: 200 OK CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh Passing the token Then on every request that is not a GET/HEAD (so this applies to POST/PUT/DELETE/etc.) the client must provide the same token, either in the CSRF-Token request header or in the csrf-token request parameter: POST /nuxeo/something CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh or POST /nuxeo/something?csrf-token=uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh Missing, expired or invalid token If the token is missing, expired or invalid, the client will get a 403 Forbidden error, and a CSRF-Token: invalid header will be set: 403 Forbidden CSRF-Token: invalid Skipping certain endpoints Some authentication endpoints need to be available with a POST without CSRF token checks. This can be done using for example: <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "nuxeo.csrf.token.skip" list= "true" > /login </property> </extension>
    • Sprint:
      nxFG 10.3.9, nxFG 10.3.10
    • Story Points:
      5
    • Epic Link:

      Description

      In order to have a second layer of CSRF protection (beyond the existing one based one the Origin header, see NXP-24331), we want to allow the use of CSRF tokens.

      The implementation of CSRF Tokens for the platform requires to:

      • define the token retrieval API
      • define the token passing mechanism from the clients
      • make it optional (to allow for old clients)

      In addition, the CMIS token mechanism must be activated automatically when the platform tokens are active.

      Note that the SAML callback endpoint is done using a POST and must be excluded from CSRF token checks.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h