Add XSRF protection to legacy authentication mechanism

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=148689952
2025-05-14 16:37:13 +02:00 · 2017-02-27 13:53:10 -08:00 · 2017-02-27 13:53:10 -08:00 · c7a62e9b98
commit c7a62e9b98
parent a5932c0fc3
12 changed files with 227 additions and 56 deletions
--- a/java/google/registry/request/Route.java
+++ b/java/google/registry/request/Route.java
@ -42,6 +42,7 @@ abstract class Route {
  }
  boolean shouldXsrfProtect(Action.Method requestMethod) {
-    return action().xsrfProtection() && requestMethod != Action.Method.GET;
+    return action().xsrfProtection()
        && (requestMethod != Action.Method.GET) && (requestMethod != Action.Method.HEAD);
  }
 }
--- a/java/google/registry/request/auth/AppEngineInternalAuthenticationMechanism.java
+++ b/java/google/registry/request/auth/AppEngineInternalAuthenticationMechanism.java
@ -17,6 +17,7 @@ package google.registry.request.auth;
 import static google.registry.request.auth.AuthLevel.APP;
 import static google.registry.request.auth.AuthLevel.NONE;
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
 /**
@ -56,6 +57,9 @@ public class AppEngineInternalAuthenticationMechanism implements AuthenticationM
  // As defined in the App Engine request header documentation.
  private static final String QUEUE_NAME_HEADER = "X-AppEngine-QueueName";
  @Inject
  public AppEngineInternalAuthenticationMechanism() {}
  @Override
  public AuthResult authenticate(HttpServletRequest request) {
    if (request.getHeader(QUEUE_NAME_HEADER) == null) {
--- a/java/google/registry/request/auth/AuthModule.java
+++ b/java/google/registry/request/auth/AuthModule.java
@ -16,12 +16,9 @@ package google.registry.request.auth;
 import com.google.appengine.api.oauth.OAuthService;
 import com.google.appengine.api.oauth.OAuthServiceFactory;
 import com.google.appengine.api.users.UserService;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
 /**
 * Dagger module for authentication routines.
@ -29,28 +26,12 @@ import google.registry.config.RegistryConfig.Config;
@Module
 public class AuthModule {
  /** Provides the internal authentication mechanism. */
  @Provides
  AppEngineInternalAuthenticationMechanism provideAppEngineInternalAuthenticationMechanism() {
    return new AppEngineInternalAuthenticationMechanism();
  }
  /** Provides the custom authentication mechanisms (including OAuth). */
  @Provides
  ImmutableList<AuthenticationMechanism> provideApiAuthenticationMechanisms(
-      OAuthService oauthService,
+      OAuthAuthenticationMechanism oauthAuthenticationMechanism) {
      @Config("availableOauthScopes") ImmutableSet<String> availableOauthScopes,
      @Config("requiredOauthScopes") ImmutableSet<String> requiredOauthScopes,
      @Config("allowedOauthClientIds") ImmutableSet<String> allowedOauthClientIds) {
    return ImmutableList.<AuthenticationMechanism>of(
-        new OAuthAuthenticationMechanism(
+        oauthAuthenticationMechanism);
            oauthService, availableOauthScopes, requiredOauthScopes, allowedOauthClientIds));
  }
  /** Provides the legacy authentication mechanism. */
  @Provides
  LegacyAuthenticationMechanism provideLegacyAuthenticationMechanism(UserService userService) {
    return new LegacyAuthenticationMechanism(userService);
  }
  /** Provides the OAuthService instance. */
--- a/java/google/registry/request/auth/BUILD
+++ b/java/google/registry/request/auth/BUILD
@ -9,6 +9,7 @@ java_library(
    srcs = glob(["*.java"]),
    deps = [
        "//java/google/registry/config",
        "//java/google/registry/security",
        "//java/google/registry/util",
        "@com_google_appengine_api_1_0_sdk",
        "@com_google_auto_value",
--- a/java/google/registry/request/auth/LegacyAuthenticationMechanism.java
+++ b/java/google/registry/request/auth/LegacyAuthenticationMechanism.java
@ -14,11 +14,15 @@
 package google.registry.request.auth;
 import static com.google.common.base.Strings.nullToEmpty;
 import static google.registry.request.auth.AuthLevel.NONE;
 import static google.registry.request.auth.AuthLevel.USER;
 import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
 import com.google.appengine.api.users.UserService;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableSet;
 import google.registry.security.XsrfTokenManager;
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
@ -27,25 +31,36 @@ import javax.servlet.http.HttpServletRequest;
 *
 * <p>Just use the values returned by UserService.
 */
 // TODO(mountford) Add XSRF protection here or elsewhere, from RequestHandler
 public class LegacyAuthenticationMechanism implements AuthenticationMechanism {
  private final UserService userService;
  private final XsrfTokenManager xsrfTokenManager;
  /** HTTP methods which are considered safe, and do not require XSRF protection. */
  private static final ImmutableSet<String> SAFE_METHODS = ImmutableSet.of("GET", "HEAD");
  @VisibleForTesting
  @Inject
-  public LegacyAuthenticationMechanism(UserService userService) {
+  public LegacyAuthenticationMechanism(UserService userService, XsrfTokenManager xsrfTokenManager) {
    this.userService = userService;
    this.xsrfTokenManager = xsrfTokenManager;
  }
  @Override
  public AuthResult authenticate(HttpServletRequest request) {
    if (!userService.isUserLoggedIn()) {
      return AuthResult.create(NONE);
    } else {
      return AuthResult.create(
          USER,
          UserAuthInfo.create(userService.getCurrentUser(), userService.isUserAdmin()));
    }
    if (!SAFE_METHODS.contains(request.getMethod())
        && !xsrfTokenManager.validateToken(
            nullToEmpty(request.getHeader(X_CSRF_TOKEN)),
            "console")) { // hard-coded for now; in the long run, this will be removed
      return AuthResult.create(NONE);
    }
    return AuthResult.create(
        USER,
        UserAuthInfo.create(userService.getCurrentUser(), userService.isUserAdmin()));
  }
 }
--- a/java/google/registry/security/XsrfTokenManager.java
+++ b/java/google/registry/security/XsrfTokenManager.java
@ -25,6 +25,7 @@ import com.google.common.hash.Hashing;
 import google.registry.util.Clock;
 import google.registry.util.FormattingLogger;
 import java.util.List;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;
@ -32,6 +33,8 @@ import org.joda.time.Duration;
 /** Helper class for generating and validate XSRF tokens. */
 public final class XsrfTokenManager {
  // TODO(b/35388772): remove the scope parameter
  /** HTTP header used for transmitting XSRF tokens. */
  public static final String X_CSRF_TOKEN = "X-CSRF-Token";
@ -48,8 +51,16 @@ public final class XsrfTokenManager {
    this.userService = userService;
  }
-  private static String encodeToken(long creationTime, String scope, String userEmail) {
+  /**
-    String token = Joiner.on('\t').join(getServerSecret(), userEmail, scope, creationTime);
+   * Encode a token.
   *
   * <p>The token is a Base64-encoded SHA-256 hash of a string containing the secret, email, scope
   * and creation time, separated by tabs. If the scope is null, the string is secret, email,
   * creation time. In the future, the scope option will be removed.
   */
  private static String encodeToken(long creationTime, @Nullable String scope, String userEmail) {
    String token =
        Joiner.on('\t').skipNulls().join(getServerSecret(), userEmail, scope, creationTime);
    return base64Url().encode(Hashing.sha256()
        .newHasher(token.length())
        .putString(token, UTF_8)
@ -58,28 +69,69 @@ public final class XsrfTokenManager {
  }
  /**
-   * Generate an xsrf token for a given scope using the logged in user or else no user.
+   * Generate an xsrf token for a given scope using the email of the logged in user or else no user.
   *
   * <p>If there is no user, the entire xsrf check becomes basically a no-op, but that's ok because
   * any callback that doesn't have a user shouldn't be able to access any per-user resources
   * anyways.
   *
   * <p>The scope (or lack thereof) is passed to {@link #encodeToken}. Use of a scope in xsrf tokens
   * is deprecated; instead, use the no-argument version.
   */
-  public String generateToken(String scope) {
+  @Deprecated
-    return generateToken(scope, getLoggedInEmailOrEmpty());
+  public String generateTokenWithCurrentUser(@Nullable String scope) {
    return generateTokenSub(scope, getLoggedInEmailOrEmpty());
  }
-  /** Generate an xsrf token for a given scope and user. */
+  /**
-  public String generateToken(String scope, String email) {
+   * Generate an xsrf token for a given scope and user.
   *
   * <p>The scope (or lack thereof) is passed to {@link #encodeToken}. Use of a scope in xsrf tokens
   * is deprecated; instead, use the no-argument version.
   */
  @Deprecated
  public String generateToken(@Nullable String scope, String email) {
    long now = clock.nowUtc().getMillis();
    return Joiner.on(':').join(encodeToken(now, scope, email), now);
  }
  /** Generate an xsrf token for a given user. */
  public String generateToken(String email) {
    return generateTokenSub(null, email);
  }
  private String getLoggedInEmailOrEmpty() {
    return userService.isUserLoggedIn() ? userService.getCurrentUser().getEmail() : "";
  }
-  /** Validate an xsrf token, given the scope it was used for. */
+  private String generateTokenSub(@Nullable String scope, String email) {
-  public boolean validateToken(String token, String scope) {
+    long now = clock.nowUtc().getMillis();
    return Joiner.on(':').join(encodeToken(now, scope, email), now);
  }
  /**
   * Validate an xsrf token, given the scope it was used for.
   *
   * <p>We plan to remove the scope parameter. As a first step, the method first checks for the
   * existence of a token with no scope. If that is not found, it then looks for the existence of a
   * token with the specified scope. Our next step will be to have clients pass in a null scope.
   * Finally, we will remove scopes from this code altogether.
   */
  @Deprecated
  public boolean validateToken(String token, @Nullable String scope) {
    return validateTokenSub(token, scope);
  }
  /**
   * Validate an xsrf token.
   *
   * <p>This is the non-scoped version to which we will transition in the future.
   */
  public boolean validateToken(String token) {
    return validateTokenSub(token, null);
  }
  private boolean validateTokenSub(String token, @Nullable String scope) {
    List<String> tokenParts = Splitter.on(':').splitToList(token);
    if (tokenParts.size() != 2) {
      logger.warningfmt("Malformed XSRF token: %s", token);
@ -98,11 +150,21 @@ public final class XsrfTokenManager {
      logger.infofmt("Expired timestamp in XSRF token: %s", token);
      return false;
    }
-    String reconstructedToken = encodeToken(creationTime, scope, getLoggedInEmailOrEmpty());
+    // First, check for a scopeless token, because that's the token of the future.
-    if (!reconstructedToken.equals(encodedPart)) {
+    String reconstructedToken = encodeToken(creationTime, null, getLoggedInEmailOrEmpty());
-      logger.warningfmt("Reconstructed XSRF mismatch: %s ≠ %s", encodedPart, reconstructedToken);
+    if (reconstructedToken.equals(encodedPart)) {
-      return false;
+      return true;
    }
-    return true;
+
    // If we don't find one, look for one with the specified scope.
    if (scope != null) {
      reconstructedToken = encodeToken(creationTime, scope, getLoggedInEmailOrEmpty());
      if (reconstructedToken.equals(encodedPart)) {
        return true;
      }
    }
    logger.warningfmt("Reconstructed XSRF mismatch: %s ≠ %s", encodedPart, reconstructedToken);
    return false;
  }
 }
--- a/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@ -105,7 +105,10 @@ public final class ConsoleUiAction implements Runnable {
      return;
    }
    Registrar registrar = Registrar.loadByClientId(sessionUtils.getRegistrarClientId(req));
-    data.put("xsrfToken", xsrfTokenManager.generateToken(EppConsoleAction.XSRF_SCOPE));
+    data.put(
        "xsrfToken",
        xsrfTokenManager.generateToken(
            EppConsoleAction.XSRF_SCOPE, userService.getCurrentUser().getEmail()));
    data.put("clientId", registrar.getClientId());
    data.put("showPaymentLink", registrar.getBillingMethod() == Registrar.BillingMethod.BRAINTREE);
--- a/javatests/google/registry/request/RequestHandlerTest.java
+++ b/javatests/google/registry/request/RequestHandlerTest.java
@ -241,7 +241,7 @@ public final class RequestHandlerTest {
                ImmutableSet.of("https://www.googleapis.com/auth/userinfo.email"),
                ImmutableSet.of("https://www.googleapis.com/auth/userinfo.email"),
                ImmutableSet.of("proxy-client-id", "regtool-client-id"))),
-        new LegacyAuthenticationMechanism(userService));
+        new LegacyAuthenticationMechanism(userService, xsrfTokenManager));
    // Initialize here, not inline, so that we pick up the mocked UserService.
    handler = RequestHandler.<Component>createForTest(
@ -382,7 +382,8 @@ public final class RequestHandlerTest {
  public void testXsrfProtection_validTokenProvided_runsAction() throws Exception {
    userService.setUser(testUser,  false);
    when(req.getMethod()).thenReturn("POST");
-    when(req.getHeader("X-CSRF-Token")).thenReturn(xsrfTokenManager.generateToken("vampire"));
+    when(req.getHeader("X-CSRF-Token"))
        .thenReturn(xsrfTokenManager.generateTokenWithCurrentUser("vampire"));
    when(req.getRequestURI()).thenReturn("/safe-sloth");
    handler.handleRequest(req, rsp);
    verify(safeSlothTask).run();
@ -392,7 +393,8 @@ public final class RequestHandlerTest {
  public void testXsrfProtection_tokenWithInvalidScopeProvided_returns403() throws Exception {
    userService.setUser(testUser,  false);
    when(req.getMethod()).thenReturn("POST");
-    when(req.getHeader("X-CSRF-Token")).thenReturn(xsrfTokenManager.generateToken("blood"));
+    when(req.getHeader("X-CSRF-Token"))
        .thenReturn(xsrfTokenManager.generateTokenWithCurrentUser("blood"));
    when(req.getRequestURI()).thenReturn("/safe-sloth");
    handler.handleRequest(req, rsp);
    verify(rsp).sendError(403, "Invalid X-CSRF-Token");
--- a/javatests/google/registry/request/auth/BUILD
+++ b/javatests/google/registry/request/auth/BUILD
@ -14,6 +14,7 @@ java_library(
    deps = [
        "//java/google/registry/request",
        "//java/google/registry/request/auth",
        "//java/google/registry/security",
        "//javatests/google/registry/testing",
        "//third_party/java/objectify:objectify-v4_1",
        "@com_google_appengine_api_1_0_sdk//:testonly",
--- a/javatests/google/registry/request/auth/RequestAuthenticatorTest.java
+++ b/javatests/google/registry/request/auth/RequestAuthenticatorTest.java
@ -26,11 +26,14 @@ import com.google.common.base.Optional;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import google.registry.request.Action;
 import google.registry.security.XsrfTokenManager;
 import google.registry.testing.AppEngineRule;
 import google.registry.testing.ExceptionRule;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeOAuthService;
 import google.registry.testing.FakeUserService;
 import javax.servlet.http.HttpServletRequest;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@ -125,6 +128,8 @@ public class RequestAuthenticatorTest {
  private final User testUser = new User("test@google.com", "test@google.com");
  private final FakeUserService fakeUserService = new FakeUserService();
  private final XsrfTokenManager xsrfTokenManager =
      new XsrfTokenManager(new FakeClock(), fakeUserService);
  private final FakeOAuthService fakeOAuthService = new FakeOAuthService(
      false /* isOAuthEnabled */,
      testUser,
@ -132,6 +137,11 @@ public class RequestAuthenticatorTest {
      "test-client-id",
      ImmutableList.of("test-scope1", "test-scope2", "nontest-scope"));
  @Before
  public void before() throws Exception {
    when(req.getMethod()).thenReturn("POST");
  }
  private RequestAuthenticator createRequestAuthenticator(UserService userService) {
    return new RequestAuthenticator(
        new AppEngineInternalAuthenticationMechanism(),
@ -141,7 +151,7 @@ public class RequestAuthenticatorTest {
                ImmutableSet.of("test-scope1", "test-scope2", "test-scope3"),
                ImmutableSet.of("test-scope1", "test-scope2"),
                ImmutableSet.of("test-client-id", "other-test-client-id"))),
-        new LegacyAuthenticationMechanism(userService));
+        new LegacyAuthenticationMechanism(userService, xsrfTokenManager));
  }
  private Optional<AuthResult> runTest(UserService userService, Class<?> clazz) {
@ -152,19 +162,20 @@ public class RequestAuthenticatorTest {
  @Test
  public void testNoAuthNeeded_noneFound() throws Exception {
    Optional<AuthResult> authResult = runTest(mockUserService, AuthNone.class);
    verifyZeroInteractions(mockUserService);
    assertThat(authResult).isPresent();
    assertThat(authResult.get()).isNotNull();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.NONE);
  }
  @Test
  public void testNoAuthNeeded_internalFound() throws Exception {
    when(req.getHeader("X-AppEngine-QueueName")).thenReturn("__cron");
    Optional<AuthResult> authResult = runTest(mockUserService, AuthNone.class);
    verifyZeroInteractions(mockUserService);
    assertThat(authResult).isPresent();
    assertThat(authResult.get()).isNotNull();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.APP);
    assertThat(authResult.get().userAuthInfo()).isAbsent();
  }
@ -172,6 +183,7 @@ public class RequestAuthenticatorTest {
  @Test
  public void testInternalAuth_notInvokedInternally() throws Exception {
    Optional<AuthResult> authResult = runTest(mockUserService, AuthInternalOnly.class);
    verifyZeroInteractions(mockUserService);
    assertThat(authResult).isAbsent();
  }
@ -179,10 +191,11 @@ public class RequestAuthenticatorTest {
  @Test
  public void testInternalAuth_success() throws Exception {
    when(req.getHeader("X-AppEngine-QueueName")).thenReturn("__cron");
    Optional<AuthResult> authResult = runTest(mockUserService, AuthInternalOnly.class);
    verifyZeroInteractions(mockUserService);
    assertThat(authResult).isPresent();
    assertThat(authResult.get()).isNotNull();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.APP);
    assertThat(authResult.get().userAuthInfo()).isAbsent();
  }
@ -190,15 +203,28 @@ public class RequestAuthenticatorTest {
  @Test
  public void testAnyUserAnyMethod_notLoggedIn() throws Exception {
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
    assertThat(authResult).isAbsent();
  }
  @Test
  public void testAnyUserAnyMethod_xsrfFailure() throws Exception {
    fakeUserService.setUser(testUser, false);
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
    assertThat(authResult).isAbsent();
  }
  @Test
  public void testAnyUserAnyMethod_success() throws Exception {
    fakeUserService.setUser(testUser, false /* isAdmin */);
    when(req.getHeader(XsrfTokenManager.X_CSRF_TOKEN))
        .thenReturn(xsrfTokenManager.generateTokenWithCurrentUser("console"));
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
    assertThat(authResult).isPresent();
    assertThat(authResult.get()).isNotNull();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
    assertThat(authResult.get().userAuthInfo()).isPresent();
    assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
@ -206,23 +232,53 @@ public class RequestAuthenticatorTest {
    assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isAbsent();
  }
  @Test
  public void testAnyUserAnyMethod_xsrfNotRequiredForGet() throws Exception {
    fakeUserService.setUser(testUser, false);
    when(req.getMethod()).thenReturn("GET");
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
    assertThat(authResult).isPresent();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
    assertThat(authResult.get().userAuthInfo()).isPresent();
    assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
    assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isAbsent();
  }
  @Test
  public void testAdminUserAnyMethod_notLoggedIn() throws Exception {
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
    assertThat(authResult).isAbsent();
  }
  @Test
  public void testAdminUserAnyMethod_notAdminUser() throws Exception {
    fakeUserService.setUser(testUser, false /* isAdmin */);
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
    assertThat(authResult).isAbsent();
  }
  @Test
  public void testAdminUserAnyMethod_xsrfFailure() throws Exception {
    fakeUserService.setUser(testUser, true);
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
    assertThat(authResult).isAbsent();
  }
  @Test
  public void testAdminUserAnyMethod_success() throws Exception {
    fakeUserService.setUser(testUser, true /* isAdmin */);
    when(req.getHeader(XsrfTokenManager.X_CSRF_TOKEN))
        .thenReturn(xsrfTokenManager.generateTokenWithCurrentUser("console"));
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
    assertThat(authResult).isPresent();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
    assertThat(authResult.get().userAuthInfo()).isPresent();
@ -236,7 +292,9 @@ public class RequestAuthenticatorTest {
    fakeOAuthService.setUser(testUser);
    fakeOAuthService.setOAuthEnabled(true);
    when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isPresent();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
    assertThat(authResult.get().userAuthInfo()).isPresent();
@ -257,7 +315,9 @@ public class RequestAuthenticatorTest {
    fakeOAuthService.setUserAdmin(true);
    fakeOAuthService.setOAuthEnabled(true);
    when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isPresent();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
    assertThat(authResult.get().userAuthInfo()).isPresent();
@ -276,7 +336,9 @@ public class RequestAuthenticatorTest {
  public void testOAuthMissingAuthenticationToken_failure() throws Exception {
    fakeOAuthService.setUser(testUser);
    fakeOAuthService.setOAuthEnabled(true);
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isAbsent();
  }
@ -286,7 +348,9 @@ public class RequestAuthenticatorTest {
    fakeOAuthService.setOAuthEnabled(true);
    fakeOAuthService.setClientId("wrong-client-id");
    when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isAbsent();
  }
@ -296,7 +360,9 @@ public class RequestAuthenticatorTest {
    fakeOAuthService.setOAuthEnabled(true);
    fakeOAuthService.setAuthorizedScopes();
    when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isAbsent();
  }
@ -306,7 +372,9 @@ public class RequestAuthenticatorTest {
    fakeOAuthService.setOAuthEnabled(true);
    fakeOAuthService.setAuthorizedScopes("test-scope1", "test-scope3");
    when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isAbsent();
  }
@ -316,7 +384,9 @@ public class RequestAuthenticatorTest {
    fakeOAuthService.setOAuthEnabled(true);
    fakeOAuthService.setAuthorizedScopes("test-scope1", "test-scope2", "test-scope3");
    when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isPresent();
    assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
    assertThat(authResult.get().userAuthInfo()).isPresent();
@ -334,13 +404,16 @@ public class RequestAuthenticatorTest {
  @Test
  public void testAnyUserNoLegacy_failureWithLegacyUser() throws Exception {
    fakeUserService.setUser(testUser, false /* isAdmin */);
    Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
    assertThat(authResult).isAbsent();
  }
  @Test
  public void testNoMethods_failure() throws Exception {
    thrown.expect(IllegalArgumentException.class, "Must specify at least one auth method");
    runTest(fakeUserService, AuthNoMethods.class);
  }
@ -348,6 +421,7 @@ public class RequestAuthenticatorTest {
  public void testMissingInternal_failure() throws Exception {
    thrown.expect(IllegalArgumentException.class,
        "Auth method INTERNAL must always be specified, and as the first auth method");
    runTest(fakeUserService, AuthMissingInternal.class);
  }
@ -355,6 +429,7 @@ public class RequestAuthenticatorTest {
  public void testWrongMethodOrdering_failure() throws Exception {
    thrown.expect(IllegalArgumentException.class,
        "Auth methods must be unique and strictly in order - INTERNAL, API, LEGACY");
    runTest(fakeUserService, AuthWrongMethodOrdering.class);
  }
@ -362,6 +437,7 @@ public class RequestAuthenticatorTest {
  public void testDuplicateMethods_failure() throws Exception {
    thrown.expect(IllegalArgumentException.class,
        "Auth methods must be unique and strictly in order - INTERNAL, API, LEGACY");
    runTest(fakeUserService, AuthDuplicateMethods.class);
  }
@ -369,6 +445,7 @@ public class RequestAuthenticatorTest {
  public void testInternalWithUser_failure() throws Exception {
    thrown.expect(IllegalArgumentException.class,
        "Actions with only INTERNAL auth may not require USER auth level");
    runTest(fakeUserService, AuthInternalWithUser.class);
  }
@ -376,6 +453,7 @@ public class RequestAuthenticatorTest {
  public void testWronglyIgnoringUser_failure() throws Exception {
    thrown.expect(IllegalArgumentException.class,
        "Actions with auth methods beyond INTERNAL must not specify the IGNORED user policy");
    runTest(fakeUserService, AuthWronglyIgnoringUser.class);
  }
 }
--- a/javatests/google/registry/security/XsrfTokenManagerTest.java
+++ b/javatests/google/registry/security/XsrfTokenManagerTest.java
@ -54,7 +54,9 @@ public class XsrfTokenManagerTest {
  @Test
  public void testSuccess() {
-    assertThat(xsrfTokenManager.validateToken(xsrfTokenManager.generateToken("console"), "console"))
+    assertThat(
            xsrfTokenManager.validateToken(
                xsrfTokenManager.generateTokenWithCurrentUser("console"), "console"))
        .isTrue();
  }
@ -70,7 +72,7 @@ public class XsrfTokenManagerTest {
  @Test
  public void testExpired() {
-    String token = xsrfTokenManager.generateToken("console");
+    String token = xsrfTokenManager.generateTokenWithCurrentUser("console");
    clock.setTo(START_OF_TIME.plusDays(2));
    assertThat(xsrfTokenManager.validateToken(token, "console")).isFalse();
  }
@ -78,7 +80,9 @@ public class XsrfTokenManagerTest {
  @Test
  public void testTimestampTamperedWith() {
    String encodedPart =
-        Splitter.on(':').splitToList(xsrfTokenManager.generateToken("console")).get(0);
+        Splitter.on(':')
            .splitToList(xsrfTokenManager.generateTokenWithCurrentUser("console"))
            .get(0);
    long tamperedTimestamp = clock.nowUtc().plusMillis(1).getMillis();
    assertThat(xsrfTokenManager.validateToken(encodedPart + ":" + tamperedTimestamp, "console"))
        .isFalse();
@ -93,7 +97,26 @@ public class XsrfTokenManagerTest {
  @Test
  public void testDifferentScope() {
-    assertThat(xsrfTokenManager.validateToken(xsrfTokenManager.generateToken("console"), "foobar"))
+    assertThat(
            xsrfTokenManager.validateToken(
                xsrfTokenManager.generateTokenWithCurrentUser("console"), "foobar"))
        .isFalse();
  }
  @Test
  public void testNullScope() {
    assertThat(
            xsrfTokenManager.validateToken(
                xsrfTokenManager.generateTokenWithCurrentUser(null), null))
        .isTrue();
  }
  // This test checks that the server side will pass when we switch the client to use a null scope.
  @Test
  public void testNullScopePassesWhenTestedWithNonNullScope() {
    assertThat(
            xsrfTokenManager.validateToken(
                xsrfTokenManager.generateTokenWithCurrentUser(null), "console"))
        .isTrue();
  }
 }
--- a/javatests/google/registry/ui/server/registrar/RegistrarSettingsActionTestCase.java
+++ b/javatests/google/registry/ui/server/registrar/RegistrarSettingsActionTestCase.java
@ -113,7 +113,7 @@ public class RegistrarSettingsActionTestCase {
    when(req.getMethod()).thenReturn("POST");
    when(rsp.getWriter()).thenReturn(new PrintWriter(writer));
    when(req.getContentType()).thenReturn("application/json");
-    when(req.getHeader(eq("X-CSRF-Token"))).thenReturn(xsrfTokenManager.generateToken("console"));
+    when(req.getHeader(eq("X-CSRF-Token"))).thenReturn(xsrfTokenManager.generateTokenWithCurrentUser("console"));
    when(req.getReader()).thenReturn(createJsonPayload(ImmutableMap.of("op", "read")));
    when(sessionUtils.isLoggedIn()).thenReturn(true);
    when(sessionUtils.checkRegistrarConsoleLogin(req)).thenReturn(true);