Skip to content
This repository was archived by the owner on Jul 9, 2025. It is now read-only.

feat: extend CSRF token protection to all api routes #9422

Merged
cwhitten merged 9 commits into from
Nov 22, 2022
Merged

feat: extend CSRF token protection to all api routes #9422

cwhitten merged 9 commits into from
Nov 22, 2022

Conversation

@OEvgeny
Copy link
Collaborator

@OEvgeny OEvgeny commented Nov 15, 2022
edited
Loading

Description

This enables CSRF protection for /api calls, so Composer server can authenticate Composer client app.

Following changes were made:

  • Added a token placeholder validation in development, so it is clear the API calls fail without the token during development
  • Added X-CSRF-Token header to client's requests through axios interceptor
  • Added code to the @bfc/shared package which exposes extended axios instance
  • Changed client code to use the axios instance exposed from the @bfc/shared package
  • Changed publishing extension to use the axios instance exposed from the @bfc/shared package

#minor

@OEvgeny OEvgeny changed the title feat(security): extend CSRF token protection to all api routes feat security: extend CSRF token protection to all api routes Nov 15, 2022
@OEvgeny OEvgeny changed the title feat security: extend CSRF token protection to all api routes feat: extend CSRF token protection to all api routes Nov 15, 2022
@OEvgeny OEvgeny force-pushed the security/csrf-protection branch 2 times, most recently from 18c0b7f to 184a4be Compare November 16, 2022 05:12
@OEvgeny OEvgeny force-pushed the security/csrf-protection branch from 184a4be to 9deba69 Compare November 16, 2022 06:07
@coveralls
Copy link

coveralls commented Nov 16, 2022
edited
Loading

Coverage Status

Coverage decreased (-0.01%) to 54.637% when pulling c6b523f on OEvgeny:security/csrf-protection into a27c3e5 on microsoft:main.

@OEvgeny OEvgeny marked this pull request as ready for review November 18, 2022 18:40
@cwhitten cwhitten merged commit e7d75ec into microsoft:main Nov 22, 2022
@OEvgeny OEvgeny deleted the security/csrf-protection branch November 22, 2022 18:51
@cwhitten cwhitten mentioned this pull request Aug 15, 2023
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@natalgar natalgar Awaiting requested review from natalgar

@VamsiModem VamsiModem Awaiting requested review from VamsiModem

@benbrown benbrown Awaiting requested review from benbrown

@boydc2014 boydc2014 Awaiting requested review from boydc2014

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n

@srinaath srinaath Awaiting requested review from srinaath

@tdurnford tdurnford Awaiting requested review from tdurnford

1 more reviewer

@cwhitten cwhitten cwhitten approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OEvgeny @coveralls @cwhitten