Adding CSRF form protection via Hapi Crumb plugin

app/plugins/crumb.plugin.js

@@ -0,0 +1,50 @@
+'use strict'
+
+/**
+ * Plugin to add CSRF token to all our forms
+ * @module CrumbPlugin
+ */
+
+const Crumb = require('@hapi/crumb')
+
+/**
+ * {@link https://hapi.dev/module/crumb/api/?v=9.0.1 | Crumb} is a Hapi plugin. Crumb is used to diminish CSRF attacks
+ * using a random unique token that is validated on the server side.
+ *
+ * Every view in the service that has a form that uses `method="POST"`, needs to have a hidden input field.
+ *
+ * ```html
+ * <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+ * ```
+ *
+ * When the page is requested the Crumb plugin will generate a token in the `onPreResponse` event that it will save to a
+ * cookie called 'wrlsCrumb'. It also makes it available in the view context hence our views can reference
+ * `{{wrlsCrumb}}`.
+ *
+ * When the user submits the form the Crumb plugin jumps in again, this time on the `onPostAuth` event. It compares both
+ * values and if they match it 'authorises' the request.
+ *
+ * If the the payload is missing `{{wrlsCrumb}}`, or the value doesn't match that saved in the cookie (which is secure
+ * so unreadable to the client) than it rejects the request. In our service the user will see a 404 as that is the
+ * default for an 'unauthorised' request.
+ *
+ * We have Crumb enabled by default for all endpoints to avoid us forgetting to protect a html form. However, this means
+ * it performs the check for _all_ POST requests. Our service exposes API-only POST endpoints which do not expect a
+ * payload. For this, the route config must include the following to disable Crumb.
+ *
+ * ```javascript
+ *   options: {
+ *     plugins: {
+ *       crumb: false
+ *     }
+ *   }
+ * ```
+ */
+const CrumbPlugin = {
+  plugin: Crumb,
+  options: {
+    key: 'wrlsCrumb'
+  }
+}
+
+module.exports = CrumbPlugin

app/routes/bill-runs.routes.js

@@ -12,6 +12,9 @@ const routes = [
         access: {
           scope: ['billing']
         }
+      },
+      plugins: {
+        crumb: false
       }
     }
   },

app/routes/billing-accounts.routes.js

@@ -15,6 +15,9 @@ const routes = [
         access: {
           scope: ['manage_billing_accounts']
         }
+      },
+      plugins: {
+        crumb: false
       }
     }
   }

app/routes/data.routes.js

@@ -36,7 +36,10 @@ const routes = [
         excludeFromProd: true,
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -48,7 +51,10 @@ const routes = [
         excludeFromProd: true,
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -60,7 +66,10 @@ const routes = [
         excludeFromProd: true,
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   }
 ]

app/routes/import.routes.js

@@ -11,7 +11,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   }
 ]

app/routes/jobs.routes.js

@@ -11,7 +11,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -22,7 +25,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -33,7 +39,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -44,7 +53,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   }
 ]

app/server.js

@@ -5,6 +5,7 @@ const Hapi = require('@hapi/hapi')
 const AirbrakePlugin = require('./plugins/airbrake.plugin.js')
 const AuthPlugin = require('./plugins/auth.plugin.js')
 const ChargingModuleTokenCachePlugin = require('./plugins/charging-module-token-cache.plugin.js')
+const CrumbPlugin = require('./plugins/crumb.plugin.js')
 const ErrorPagesPlugin = require('./plugins/error-pages.plugin.js')
 const GlobalHapiServerMethodsPlugin = require('./plugins/global-hapi-server-methods.plugin.js')
 const GlobalNotifierPlugin = require('./plugins/global-notifier.plugin.js')
@@ -31,6 +32,7 @@ const registerPlugins = async (server) => {
   await server.register(AirbrakePlugin)
   await server.register(GlobalNotifierPlugin)
   await server.register(ChargingModuleTokenCachePlugin)
+  await server.register(CrumbPlugin)
   await server.register(ErrorPagesPlugin)
   await server.register(RequestNotifierPlugin)
   await server.register(PayloadCleanerPlugin)

app/views/bill-licences/remove.njk

@@ -99,6 +99,7 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
         {{ govukButton({ text: "Remove this licence", preventDoubleClick: true }) }}
       </form>
     </div>

app/views/bill-runs/amend-adjustment-factor.njk

@@ -72,6 +72,8 @@
       {% endif %}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukInput({
           label: {
             text: "Aggregate factor",

app/views/bill-runs/amend-authorised-volume.njk

@@ -50,6 +50,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukInput({
           label: {
             text: "Authorised volume",

app/views/bill-runs/amend-billable-returns.njk

@@ -69,6 +69,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
           name: 'quantity-options',
           errorMessage: error.radioFormElement,

app/views/bill-runs/cancel.njk

@@ -70,6 +70,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Cancel bill run" }) }}
       </form>
     </div>

app/views/bill-runs/remove-licence.njk

@@ -75,6 +75,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Remove this licence", preventDoubleClick: true }) }}
       </form>
     </div>

app/views/bill-runs/review-licence.njk

@@ -122,6 +122,8 @@
   {% endif %}
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     <div class="govuk-button-group">
     {{ govukButton({
       text: statusButtonText,

app/views/bill-runs/review.njk

@@ -131,6 +131,8 @@
     <h2 class="govuk-heading-m govuk-!-margin-bottom-3">Filter by</h2>
 
     <form  method="post" action="review">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {# Filter by licence holder or licence number #}
       {{ govukInput({
         label: {

app/views/bill-runs/send.njk

@@ -70,6 +70,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Send bill run" }) }}
       </form>
     </div>

app/views/bill-runs/setup/region.njk

@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {% set regionItems = [] %}
       {% for region in regions %}
         {% set regionItem = { text: region.displayName, value: region.id, checked: region.id == selectedRegion } %}

app/views/bill-runs/setup/season.njk

@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
         attributes: {
           'data-test': 'bill-run-season'

app/views/bill-runs/setup/type.njk

@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
         attributes: {
           'data-test': 'bill-run-type'

app/views/bill-runs/setup/year.njk

@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
         attributes: {
           'data-test': 'bill-run-year'

app/views/bills/remove.njk

@@ -103,6 +103,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Remove this bill", preventDoubleClick: true }) }}
       </form>
     </div>

app/views/data/deduplicate.njk

@@ -18,6 +18,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukInput({
         classes: 'govuk-!-width-one-third',
         errorMessage: error,

app/views/return-requirements/abstraction-period.njk

@@ -57,6 +57,8 @@
   </div>
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     {# From #}
     {{ govukDateInput({
       id: "abstraction-period-start",

app/views/return-requirements/additional-submission-options.njk

@@ -35,6 +35,8 @@
   {% endset %}
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     <div class="govuk-body">
       {{ govukCheckboxes({
         name: "additionalSubmissionOptions",

app/views/return-requirements/agreements-exceptions.njk

@@ -37,6 +37,8 @@
   </div>
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     {{ govukCheckboxes({
       name: "agreementsExceptions",
       hint: {

app/views/return-requirements/cancel.njk

@@ -56,6 +56,7 @@
     <p class="govuk-!-margin-bottom-7"></p>
 
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
       <input type="hidden" id="licence-id" name="licenceId" value="{{ licenceId }}" />
 
       {{ govukButton({ text: "Confirm cancel", preventDoubleClick: true }) }}

app/views/return-requirements/check.njk

@@ -111,6 +111,8 @@
 
       {# Add another requirement button #}
       <form method="post" action="/system/return-requirements/{{ sessionId }}/add">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({
           text: "Add another requirement",
           classes: "govuk-button--secondary",
@@ -319,6 +321,8 @@
   {% endif %}
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     <div class="govuk-body">
       {% if returnsRequired %}
         {{ govukSummaryList({

app/views/return-requirements/existing.njk

@@ -39,6 +39,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
         name: "existing",
         errorMessage: error,

app/views/return-requirements/frequency-collected.njk

@@ -35,6 +35,8 @@
   </div>
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     {{ govukRadios({
       name: "frequencyCollected",
       errorMessage: error,

app/views/return-requirements/frequency-reported.njk

@@ -35,6 +35,8 @@
   </div>
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     {{ govukRadios({
       name: "frequencyReported",
       errorMessage: error,