Disable CSRF entirely

author: Vitaly Takmazov 2022-12-20 16:58:42 +0300
committer: Vitaly Takmazov 2022-12-20 16:58:42 +0300
commit: 1d1924a5c85775721a89378ca39a712f336b8f74 (patch)
tree: 8edf5478e0bccb15b69288766fe1efc9e02e5218 /src/main
parent: f0e10dc93f400e8ba979760a1c7af9d6e53cd1ef (diff)
10 files changed, 10 insertions, 26 deletions
diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java
index 0d570dc7..869a6d06 100644
--- a/src/main/java/com/juick/config/SecurityConfig.java
+++ b/src/main/java/com/juick/config/SecurityConfig.java
@@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import javax.inject.Inject;
 import java.util.Arrays;
 import java.util.Collections;
 
-import javax.inject.Inject;
-
 /**
  * Created by aalexeev on 11/21/16.
  */
@@ -191,7 +191,7 @@ public class SecurityConfig {
                         .configurationSource(corsConfigurationSource()))
                 .sessionManagement(
                         sessionManagement -> sessionManagement
-                                .sessionCreationPolicy(SessionCreationPolicy.ALWAYS))
+                                .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .logout(logout -> logout
                         .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                         .invalidateHttpSession(true)
@@ -203,7 +203,7 @@ public class SecurityConfig {
                         .successHandler(successHandler())
                         .failureUrl("/login?error=1")
                         .permitAll())
-                .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**"))
+                .csrf(AbstractHttpConfigurer::disable)
                 .rememberMe(rememberMe -> rememberMe
                         .rememberMeCookieDomain(webDomain).key(rememberMeKey)
                         .rememberMeServices(hashCookieServices()))
diff --git a/src/main/resources/templates/layouts/default.html b/src/main/resources/templates/layouts/default.html
index 9167dbfb..55c7e8b1 100644
--- a/src/main/resources/templates/layouts/default.html
+++ b/src/main/resources/templates/layouts/default.html
@@ -35,7 +35,7 @@
     <link rel="manifest" href="//i.juick.com/manifest.json" />
 </head>
 
-<body id="body" {% if visitor.uid > 0 %}data-hash="{{visitor.authHash}}" {% else %}data-token="{{_csrf.token}}" {% endif %}>
+<body id="body" {% if visitor.uid > 0 %}data-hash="{{visitor.authHash}}"{% endif %}>
     <div id="app">
         {% include "views/partial/navigation" %}
         <div id="content_wrapper">
diff --git a/src/main/resources/templates/views/login.html b/src/main/resources/templates/views/login.html
index f61853e8..046e5b09 100644
--- a/src/main/resources/templates/views/login.html
+++ b/src/main/resources/templates/views/login.html
@@ -42,7 +42,6 @@
         <div id="signinform">
             <form action="/login" method="POST">
                 <p class="err">{{ authErrorMessage | default('') }}</p>
-                <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
                 <input class="txt" type="text" name="username" placeholder='{{ i18n("messages","label.username") }}'
                     id="nickinput" autocomplete="username" />
                 <input class="txt" type="password" name="password"
diff --git a/src/main/resources/templates/views/pm_inbox.html b/src/main/resources/templates/views/pm_inbox.html
index 10cd0a30..f89b2923 100644
--- a/src/main/resources/templates/views/pm_inbox.html
+++ b/src/main/resources/templates/views/pm_inbox.html
@@ -17,7 +17,6 @@
            
             <div class="msg-txt">{{ msg | formatMessage }}</div>
             <form class="pmmsg">
-                <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
                 <input type="hidden" name="uname" value="{{ msg.user.name }}"/>
                 <div class="msg-comment">
                     <div class="ta-wrapper">
diff --git a/src/main/resources/templates/views/pm_sent.html b/src/main/resources/templates/views/pm_sent.html
index 2f95dad1..f0af71d3 100644
--- a/src/main/resources/templates/views/pm_sent.html
+++ b/src/main/resources/templates/views/pm_sent.html
@@ -1,7 +1,6 @@
 {% extends "layouts/default" %}
 {% block content %}
 <form class="pmmsg">
-    <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
     <div class="newpm">
         <div class="newpm-to">To: <input type="text" name="uname" placeholder="username" value="{{ uname }}"/></div>
         <div class="newpm-body"><textarea name="body" rows="2"></textarea></div>
diff --git a/src/main/resources/templates/views/post.html b/src/main/resources/templates/views/post.html
index f1070d7a..a77fa3bd 100644
--- a/src/main/resources/templates/views/post.html
+++ b/src/main/resources/templates/views/post.html
@@ -5,7 +5,6 @@
 <form id="postmsg">
     <p style="text-align: left;">
         <b>Фото:</b> <span id="attachmentfile">
-        <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
         <input style="width: 100%;" type="file" name="attach" accept="image/jpeg,image/png"/> <i>({{ i18n("messages","postForm.imageFormats") }})</i></span>
     </p>
     <p>
diff --git a/src/main/resources/templates/views/settings_about.html b/src/main/resources/templates/views/settings_about.html
index 846a3d11..5e308671 100644
--- a/src/main/resources/templates/views/settings_about.html
+++ b/src/main/resources/templates/views/settings_about.html
@@ -1,7 +1,7 @@
 {% extends "layouts/default" %}
 {% block content %}
 <article>
-    <form action="/settings?{{_csrf.parameterName}}={{_csrf.token}}" method="POST" enctype="multipart/form-data">
+    <form action="/settings" method="POST" enctype="multipart/form-data">
         <p>Full name: <input type="text" name="fullname" value="{{ userinfo.fullName }}"/></p>
         <p>Country: <input type="text" name="country" value="{{ userinfo.country }}"/></p>
         <p>URL: <input type="text" name="url" value="{{ userinfo.url }}" size="32"/><br/>
diff --git a/src/main/resources/templates/views/settings_main.html b/src/main/resources/templates/views/settings_main.html
index c819177e..0c0853f5 100644
--- a/src/main/resources/templates/views/settings_main.html
+++ b/src/main/resources/templates/views/settings_main.html
@@ -6,7 +6,6 @@
     <h2 style="color: red; padding: 20px;">Verify your account by adding email or social account</h2>
     {% endif %}
     <form action="/settings" method="POST">
-        <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
         <fieldset>
             <legend>Notification options</legend>
             <p><input type="checkbox" name="jnotify" value="1" {% if notify_options.repliesEnabled %}
@@ -22,8 +21,7 @@
         <legend style="background: url(/durov.png) no-repeat; padding-left: 58px; line-height: 48px; background-size: contain;">
             Telegram</legend>
         {% if telegram_name is not empty %}
-        <form action="/settings" method="post">
-            <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
+        <form action="/settings" method="POST">
             <div>Telegram: <b>{{ telegram_name }}</b> &mdash;
                 <input type="hidden" name="page" value="telegram-del"/>
                 <input type="submit" value="  Disable  " {% if not beans.userServiceImpl.canDeleteTelegramUser(visitor) %}disabled="disabled"{% endif %} class="Button" />
@@ -36,7 +34,6 @@
     </fieldset>
     {% if jids | length > 0 %}
     <form action="/settings" method="POST">
-        <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
         <fieldset>
             <legend style="background: url(//static.juick.com/settings/xmpp.png) no-repeat; padding-left: 58px; line-height: 48px;">
                 XMPP accounts
@@ -66,7 +63,6 @@
             E-mail
         </legend>
         <form action="/settings" method="POST">
-            <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
             <p>Add account:<br/>
                 <input type="text" name="account"/>
                 <input type="hidden" name="page" value="email-add"/>
@@ -74,7 +70,6 @@
             </p>
         </form>
         <form action="/settings" method="POST">
-            <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
             <p>Your accounts:</p>
             <p>
                 {% for email in emails %}
@@ -92,7 +87,6 @@
         {% if emails is not empty %}
         <!--email_off-->
         <form action="/settings" method="POST">
-            <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
             <p>You can receive notifications to email:<br/>
                 Sent to <select name="account">
                     <option value="">Disabled</option>
@@ -117,8 +111,7 @@
         </legend>
         {% if fbstatus.connected %}
         {% if fbstatus.crosspostEnabled %}
-        <form action="/settings" method="post">
-            <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
+        <form action="/settings" method="POST">
             <div>
                 Facebook: <b>Enabled</b> &mdash;
                 <input type="hidden" name="page" value="facebook-disable"/>
@@ -126,8 +119,7 @@
             </div>
         </form>
         {% else %}
-        <form action="/settings" method="post">
-            <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
+        <form action="/settings" method="POST">
             <div>
                 Facebook: <b>Disabled</b> &mdash;
                 <input type="hidden" name="page" value="facebook-enable"/>
@@ -143,8 +135,7 @@
     <legend style="background: url(//static.juick.com/settings/twitter.png) no-repeat; padding-left: 58px; line-height: 48px;">
         Twitter</legend>
     {% if twitter_name is not empty %}
-    <form action="/settings" method="post">
-        <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
+    <form action="/settings" method="POST">
         <div>Twitter: <b>{{ twitter_name }}</b> &mdash;
             <input type="hidden" name="page" value="twitter-del"/>
             <input type="submit" class="Button" value="  Disable  "/>
diff --git a/src/main/resources/templates/views/settings_password.html b/src/main/resources/templates/views/settings_password.html
index c09a97dd..4a9c403a 100644
--- a/src/main/resources/templates/views/settings_password.html
+++ b/src/main/resources/templates/views/settings_password.html
@@ -4,7 +4,6 @@
     <fieldset>
         <legend>Changing your password</legend>
         <form action="/settings" method="post">
-            <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
             <input type="hidden" name="page" value="password"/>
             <p>Change password: <input type="password" name="password" size="8"/> <input class="Button" type="submit"
                                                                                          value="  Update  "/><br/>
diff --git a/src/main/resources/templates/views/signup.html b/src/main/resources/templates/views/signup.html
index ad5f8dfb..d3742734 100644
--- a/src/main/resources/templates/views/signup.html
+++ b/src/main/resources/templates/views/signup.html
@@ -14,7 +14,6 @@
 
 <h2 class="signup-h2">Связать с существующим аккаунтом Juick</h2>
 <form action="/signup" method="post">
-    <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
     <input type="hidden" name="action" value="link"/>
     <input type="hidden" name="type" value="{{ type }}"/>
     <input type="hidden" name="hash" value="{{ hash }}"/>
@@ -32,7 +31,6 @@
 
 <h2 class="signup-h2">Создать новый аккаунт Juick</h2>
 <form action="/signup" method="post">
-    <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
     <input type="hidden" name="action" value="new"/>
     <input type="hidden" name="type" value="{{ type }}"/>
     <input type="hidden" name="hash" value="{{ hash }}"/>
author	Vitaly Takmazov	2022-12-20 16:58:42 +0300
committer	Vitaly Takmazov	2022-12-20 16:58:42 +0300
commit	1d1924a5c85775721a89378ca39a712f336b8f74 (patch)
tree	8edf5478e0bccb15b69288766fe1efc9e02e5218 /src/main
parent	f0e10dc93f400e8ba979760a1c7af9d6e53cd1ef (diff)