Merge pull request #18644 from nextcloud/harden/csrf_endpoint
Only allow requesting new CSRF tokens if it passes the SameSite Cooki…
This commit is contained in:
commit
52e4ecd66e
2 changed files with 17 additions and 1 deletions
|
@ -28,6 +28,7 @@ namespace OC\Core\Controller;
|
|||
|
||||
use OC\Security\CSRF\CsrfTokenManager;
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http;
|
||||
use OCP\AppFramework\Http\JSONResponse;
|
||||
use OCP\IRequest;
|
||||
|
||||
|
@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
|
|||
* @return JSONResponse
|
||||
*/
|
||||
public function index(): JSONResponse {
|
||||
if (!$this->request->passesStrictCookieCheck()) {
|
||||
return new JSONResponse([], Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
|
||||
$requestToken = $this->tokenManager->getToken();
|
||||
|
||||
return new JSONResponse([
|
||||
|
|
|
@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase {
|
|||
$this->tokenManager);
|
||||
}
|
||||
|
||||
public function testGetToken() {
|
||||
public function testGetToken(): void {
|
||||
$this->request->method('passesStrictCookieCheck')->willReturn(true);
|
||||
|
||||
$token = $this->createMock(CsrfToken::class);
|
||||
$this->tokenManager->method('getToken')->willReturn($token);
|
||||
$token->method('getEncryptedValue')->willReturn('toktok123');
|
||||
|
@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase {
|
|||
], $response->getData());
|
||||
}
|
||||
|
||||
public function testGetTokenNoStrictSameSiteCookie(): void {
|
||||
$this->request->method('passesStrictCookieCheck')->willReturn(false);
|
||||
|
||||
$response = $this->controller->index();
|
||||
|
||||
$this->assertInstanceOf(JSONResponse::class, $response);
|
||||
$this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue