From 0d52f9dd0ea6240767c832735eef4119d4b3f8b3 Mon Sep 17 00:00:00 2001 From: andres-portainer <91705312+andres-portainer@users.noreply.github.com> Date: Mon, 30 Dec 2024 10:58:44 -0300 Subject: [PATCH] feat(async): avoid sending CSRF token for async edge polling requests BE-1152 (#272) --- api/http/csrf/csrf.go | 18 ++++++++++++++---- go.mod | 4 ++-- go.sum | 4 ++++ 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/api/http/csrf/csrf.go b/api/http/csrf/csrf.go index 3533171ce..857d72c8b 100644 --- a/api/http/csrf/csrf.go +++ b/api/http/csrf/csrf.go @@ -13,6 +13,12 @@ import ( "github.com/urfave/negroni" ) +const csrfSkipHeader = "X-CSRF-Token-Skip" + +func SkipCSRFToken(w http.ResponseWriter) { + w.Header().Set(csrfSkipHeader, "1") +} + func WithProtect(handler http.Handler) (http.Handler, error) { // IsDockerDesktopExtension is used to check if we should skip csrf checks in the request bouncer (ShouldSkipCSRFCheck) // DOCKER_EXTENSION is set to '1' in build/docker-extension/docker-compose.yml @@ -42,10 +48,14 @@ func withSendCSRFToken(handler http.Handler) http.Handler { sw := negroni.NewResponseWriter(w) sw.Before(func(sw negroni.ResponseWriter) { - statusCode := sw.Status() - if statusCode >= 200 && statusCode < 300 { - csrfToken := gorillacsrf.Token(r) - sw.Header().Set("X-CSRF-Token", csrfToken) + if len(sw.Header().Get(csrfSkipHeader)) > 0 { + sw.Header().Del(csrfSkipHeader) + + return + } + + if statusCode := sw.Status(); statusCode >= 200 && statusCode < 300 { + sw.Header().Set("X-CSRF-Token", gorillacsrf.Token(r)) } }) diff --git a/go.mod b/go.mod index 1cf631205..078490071 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/gofrs/uuid v4.2.0+incompatible github.com/golang-jwt/jwt/v4 v4.5.0 github.com/google/go-cmp v0.6.0 - github.com/gorilla/csrf v1.7.1 + github.com/gorilla/csrf v1.7.2 github.com/gorilla/mux v1.8.1 github.com/gorilla/websocket v1.5.0 github.com/hashicorp/golang-lru v0.5.4 @@ -60,7 +60,7 @@ require ( software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 ) -require github.com/gorilla/securecookie v1.1.1 // indirect +require github.com/gorilla/securecookie v1.1.2 // indirect require ( dario.cat/mergo v1.0.1 // indirect diff --git a/go.sum b/go.sum index d2ade4af2..6376e9920 100644 --- a/go.sum +++ b/go.sum @@ -315,11 +315,15 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE= github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA= +github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI= +github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk= github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= +github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=