CBCSRF dependency not working properly

[lanechase34]

What are the steps to reproduce this issue?

1. In your config/modules/cbsecurity.cfc put these settings in for csrf

csrf: {
      enableAutoVerifier: true,
      verifyExcludes    : [
          'test.1', 'test.2'
      ],
      rotationTimeout       : 30,
      enableEndpoint        : true,
      cacheStorage          : 'CacheStorage@cbstorages',
      enableAuthTokenRotator: true
 }

2. Attempt to get a csrf token by calling /cbcsrf/generate - you will see a response 'Page Not Found'
3. You can attempt to access an endpoint (non-get) without a csrf token and you will not get a 'token not found exception'

What happens?

Looks like the settings from cbsecurity.csrf are not properly being set/propagated to the cbcsrf dependency.

Did a little digging and Line 167 in models/CBSecurity.cfc looked off
variables.moduleSettings.cbcsrf.settings.append( variables.settings.csrf, false );

Since all the values are defined in the default struct and with the overwrite flag being false, the module config will never override them.

Setting this to true will enable the /cbcsrf/generate endpoint but the interceptor to check the csrf token is still not being registered even though this is true enableAutoVerifier: true

Not sure how Coldbox handles module loading order, but the cbcsrf onLoad() appears to be called before the cbsecurity module gets set up

function onLoad(){
		binder.map( "CacheStorage@cbcsrf" ).toDSL( settings.cacheStorage );
		// Auto load verifier?
		if ( settings.enableAutoVerifier ) {  ***<- this is not reading the true set in cbsecurity config***
			controller
				.getInterceptorService()
				.registerInterceptor(
					interceptorClass = "cbcsrf.interceptors.VerifyCsrf",
					interceptorName  = "VerifyCsfr@cbcsrf"
				);
		}
		// Auth Rotator
		if ( settings.enableAuthTokenRotator ) {
			controller
				.getInterceptorService()
				.registerInterceptor(
					interceptorClass = "cbcsrf.interceptors.AuthRotator",
					interceptorName  = "AuthRotator@cbcsrf"
				);
		}
	}

Not sure if there's a way to specify the order and say cbcsrf should be loaded after cbsecurity, but I'm not really too sure how to fix this one.

What versions are you using?

Operating System: Windows 11 x64
Package Version: Lucee 7, CBSecure 3.6

[lmajano]

I have pushed a change to make sure cbsecurity loads first, which it should. It should be building now. Once it builds, install cbsecurity@be and please test.

[lanechase34]

Thanks, this fixed the settings loading issue. I'm using this as a module for my api and made the following changes in order for it to work. What do you think about this implementation, and is there anything you could add to the base module / clarify for other users?

1. Added endpoint to return json instead of raw text

/**
   * Generate CSRF token for Authenticated User
   */
  function generateCSRF(event, rc, prc) secured {
      prc.csrfToken = csrfService.generate();
      event
          .getResponse()
          .setData({csrf_token: prc.csrfToken})
          .addMessage('CSRF token created and it expires in #csrfService.getSettings().rotationTimeout# minutes')
          .setStatusCode(200);
  }

2. Installed cbstorages as a dependency and set up the following identifierProvider

identifierProvider: () => {
   announce('onIdentifier'); // announce event to SET request.userid = to the IDENTIFIER
   return 'USER_#request.userid#';
}

My main interceptor has this in custom point

/**
   * Interceptor to set the authUser Id to request scope to use inside CBStorage
   * to get the 'session' identifier
   */
  function onIdentifier(event, data, buffer, rc, prc) {
      request.userid = prc?.authUser?.getId() ?: createUUID();
  }

The way I see things, my custom interceptor is registered first, then cbsecurity preProcess(), then cbcsrf preProcess

1. CBsecurity sets auth user up for secured routes
2. CBCsrf checks if we need to validate a csrf token for the incoming request
3. CBstorages gets the current user's identity by calling custom interceptor point which has access to authUser, can get the storages for this user, and loads the csrf token for the user

[lanechase34]

Also, is there a way to override the configure() for the module's interceptor?
I want to add some tests to ensure it's checking for a valid token attached to the specific authUser

Specifically this line in cbcsrf/interceptors/VerifyCsrf.cfc

/**
 * Configure the interceptor
 */
function configure(){
	variables.isTestMode = isInstanceOf( controller, "coldbox.system.testing.mock.web.MockController" );
}

[lmajano]

You would have to get access to the interceptor and mock the method in a setup or before All. Since the interceptor is loaded automatically

[lanechase34]

I was able to do this:

test = getInstance(dsl = 'coldbox:interceptor:VerifyCsfr@cbcsrf')
test.setIsTestMode(false);

And I got this test to work

testMethods = ['post', 'delete', 'put', 'patch'];
testMethods.each((method) => {
    expect(() => {
        this[method](
            route = '/api/v1/securedroute', headers = {'x-auth-token': jwt, 'x-csrf-token': createUUID()}
        );
    }).toThrow(type = 'TokenMismatchException', message = 'The CSRF token is invalid.');
});

From my perspective, this looks good. Thank you again!