Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-25903

CSRF Token for Platform

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.3
    • Component/s: Web Common
    • Epic Link:
    • Tags:
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      Activation

      To activate CSRF Token verification, use the following configuration:

        <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
    <property name="nuxeo.csrf.token.enabled">true</property>
  </extension>

      When this is activated, all clients accessing Nuxeo will need to get a token and provide it on all requests that are not GET/HEAD.

      Note that even when the CSRF Token is not activated, other CSRF checks not using a token are still being done (using the Origin/Referer headers).

      Getting the token initially

      The client must use the following request with the header CSRF-Token: fetch:

      GET /nuxeo
CSRF-Token: fetch

      The response will contain the token in the header:

      200 OK
CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh

      Passing the token

      Then on every request that is not a GET/HEAD (so this applies to POST/PUT/DELETE/etc.) the client must provide the same token, either in the CSRF-Token request header or in the csrf-token request parameter:

      POST /nuxeo/something
CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh

      or

      POST /nuxeo/something?csrf-token=uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh

      Missing, expired or invalid token

      If the token is missing, expired or invalid, the client will get a 403 Forbidden error, and a CSRF-Token: invalid header will be set:

      403 Forbidden
CSRF-Token: invalid

      Skipping certain endpoints

      Some authentication endpoints need to be available with a POST without CSRF token checks. This can be done using for example:

        <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
    <property name="nuxeo.csrf.token.skip" list="true">/login</property>
  </extension>
      Show
      Activation To activate CSRF Token verification, use the following configuration: <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "nuxeo.csrf.token.enabled" > true </property> </extension> When this is activated, all clients accessing Nuxeo will need to get a token and provide it on all requests that are not GET/HEAD. Note that even when the CSRF Token is not activated, other CSRF checks not using a token are still being done (using the Origin/Referer headers). Getting the token initially The client must use the following request with the header CSRF-Token: fetch : GET /nuxeo CSRF-Token: fetch The response will contain the token in the header: 200 OK CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh Passing the token Then on every request that is not a GET/HEAD (so this applies to POST/PUT/DELETE/etc.) the client must provide the same token, either in the CSRF-Token request header or in the csrf-token request parameter: POST /nuxeo/something CSRF-Token: uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh or POST /nuxeo/something?csrf-token=uNTIwv3oEImb3singqJKSuJDNjM9ldVOjnwtxmFh Missing, expired or invalid token If the token is missing, expired or invalid, the client will get a 403 Forbidden error, and a CSRF-Token: invalid header will be set: 403 Forbidden CSRF-Token: invalid Skipping certain endpoints Some authentication endpoints need to be available with a POST without CSRF token checks. This can be done using for example: <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "nuxeo.csrf.token.skip" list= "true" > /login </property> </extension>
    • Sprint:
      nxFG 10.3.9, nxFG 10.3.10
    • Story Points:
      5

      Description

      In order to have a second layer of CSRF protection (beyond the existing one based one the Origin header, see NXP-24331), we want to allow the use of CSRF tokens.

      The implementation of CSRF Tokens for the platform requires to:

      • define the token retrieval API
      • define the token passing mechanism from the clients
      • make it optional (to allow for old clients)

      In addition, the CMIS token mechanism must be activated automatically when the platform tokens are active.

      Note that the SAML callback endpoint is done using a POST and must be excluded from CSRF token checks.

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-24331 CSRF Protection for Platform

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is required by

          New Feature - A new feature of the product, which has yet to be developed. JAVACLIENT-169 CSRF Token for Java Client

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. NETCLIENT-15 CSRF Token for .NET Client

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. NXJS-173 CSRF Token for JavaScript Client

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. NXPY-73 CSRF Token for Python Client

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. PHPCLIENT-20 CSRF Token for PHP Client

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. NXP-25904 CSRF Token for JSF

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h