zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-06-30 08:13:32 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add XSRF protection to legacy authentication mechanism

Browse source 
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=148689952
This commit is contained in:
mountford 2017-02-27 13:53:10 -08:00 committed by Ben McIlwain
parent a5932c0fc3
commit c7a62e9b98
12 changed files with 227 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

27
java/google/registry/request/auth/LegacyAuthenticationMechanism.java
View file

@ -14,11 +14,15 @@
package google.registry.request.auth;
import static com.google.common.base.Strings.nullToEmpty;
import static google.registry.request.auth.AuthLevel.NONE;
import static google.registry.request.auth.AuthLevel.USER;
import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
import com.google.appengine.api.users.UserService;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import google.registry.security.XsrfTokenManager;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
@ -27,25 +31,36 @@ import javax.servlet.http.HttpServletRequest;
*
* <p>Just use the values returned by UserService.
*/
// TODO(mountford) Add XSRF protection here or elsewhere, from RequestHandler
public class LegacyAuthenticationMechanism implements AuthenticationMechanism {
private final UserService userService;
private final XsrfTokenManager xsrfTokenManager;
/** HTTP methods which are considered safe, and do not require XSRF protection. */
private static final ImmutableSet<String> SAFE_METHODS = ImmutableSet.of("GET", "HEAD");
@VisibleForTesting
@Inject
public LegacyAuthenticationMechanism(UserService userService) {
public LegacyAuthenticationMechanism(UserService userService, XsrfTokenManager xsrfTokenManager) {
this.userService = userService;
this.xsrfTokenManager = xsrfTokenManager;
}
@Override
public AuthResult authenticate(HttpServletRequest request) {
if (!userService.isUserLoggedIn()) {
return AuthResult.create(NONE);
} else {
return AuthResult.create(
USER,
UserAuthInfo.create(userService.getCurrentUser(), userService.isUserAdmin()));
}
if (!SAFE_METHODS.contains(request.getMethod())
&& !xsrfTokenManager.validateToken(
nullToEmpty(request.getHeader(X_CSRF_TOKEN)),
"console")) { // hard-coded for now; in the long run, this will be removed
return AuthResult.create(NONE);
}
return AuthResult.create(
USER,
UserAuthInfo.create(userService.getCurrentUser(), userService.isUserAdmin()));
}
}