Skip to content

CSRF protection configuration #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nicholasruunu wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CSRF protection configuration #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ public function getConfigTreeBuilder()
->booleanNode('security')->defaultTrue()->info(
"Whether or not the SecurityBundle integration should be enabled. Set to false if and only if your app does not use SecurityBundle."
)->end()
->booleanNode('csrf_protection')->defaultTrue()->end()
->end();

return $treeBuilder;
Expand Down
6 changes: 6 additions & 0 deletions DependencyInjection/HappyrAuth0Extension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ public function load(array $configs, ContainerBuilder $container)

if ($config['security']) {
$loader->load('security.yml');

$container->getDefinition('happyr.auth0.security.authentication.entry_point.oauth')
->replaceArgument(4, $config['csrf_protection']);

$container->getDefinition('happyr.auth0.security.authentication.listener.sso')
->addMethodCall('setCsrfProtection', $config['csrf_protection']);
}

// Add the secret key as parameter
Expand Down
1 change: 1 addition & 0 deletions Resources/config/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,5 @@ services:
- "@security.http_utils"
- "%auth0.client_id%"
- "%auth0.domain%"
- ~ # CSRF Protection set by configuration
abstract: true
23 changes: 18 additions & 5 deletions Security/EntryPoint/SSOEntryPoint.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,35 +39,48 @@ class SSOEntryPoint implements AuthenticationEntryPointInterface
*/
private $callbackPath;

/**
* @var string
*/
private $csrfProtectionEnabled;

/**
* @param HttpUtils $httpUtils
* @param $auth0ClientId
* @param string $auth0Domain
*/
public function __construct(CsrfTokenManager $csrfTokenManager, HttpUtils $httpUtils, $auth0ClientId, $auth0Domain, $callbackPath)
{
public function __construct(
CsrfTokenManager $csrfTokenManager,
HttpUtils $httpUtils,
$auth0ClientId,
$auth0Domain,
$callbackPath,
$csrfProtectionEnabled = true
) {
$this->csrfTokenManager = $csrfTokenManager;
$this->httpUtils = $httpUtils;
$this->auth0ClientId = $auth0ClientId;
$this->auth0Domain = $auth0Domain;
$this->callbackPath = $callbackPath;
$this->csrfProtectionEnabled = $csrfProtectionEnabled;
}

/**
* {@inheritdoc}
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$csrfToken = $this->csrfTokenManager->getToken('auth0-sso');

$query = [
'client_id' => $this->auth0ClientId,
'redirect_uri' => $this->httpUtils->generateUri($request, $this->callbackPath),
'response_type' => 'code',
'language' => $request->getLocale(),
'state' => $csrfToken->getValue(),
];

if ($this->csrfProtectionEnabled) {
$query['state'] = $this->csrfTokenManager->getToken('auth0-sso')->getValue();
}

return new RedirectResponse(sprintf('https://%s/authorize?%s', $this->auth0Domain, http_build_query($query)));
}
}
22 changes: 17 additions & 5 deletions Security/Firewall/SSOListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@ class SSOListener extends AbstractAuthenticationListener
*/
private $csrfTokenManager;

/**
* @var bool
*/
private $csrfProtectionEnabled = true;

public function setCsrfTokenManager(CsrfTokenManager $csrfTokenManager)
{
$this->csrfTokenManager = $csrfTokenManager;
Expand All @@ -45,6 +50,11 @@ public function setAuthenticationApi($authenticationApi)
$this->authenticationApi = $authenticationApi;
}

public function setCsrfProtection($protectionEnabled = true)
{
$this->csrfProtectionEnabled = $protectionEnabled;
}

/**
* @param string $callbackPath
*
Expand All @@ -63,12 +73,14 @@ protected function attemptAuthentication(Request $request)
throw new AuthenticationException('No oauth code in the request.');
}

if (null === $state = $request->query->get('state')) {
throw new AuthenticationException('No state in the request.');
}
if ($this->csrfProtectionEnabled) {
if (null === $state = $request->query->get('state')) {
throw new AuthenticationException('No state in the request.');
}

if (!$this->csrfTokenManager->isTokenValid(new CsrfToken('auth0-sso', $state))) {
throw new AuthenticationException('Invalid CSRF token');
if (!$this->csrfTokenManager->isTokenValid(new CsrfToken('auth0-sso', $state))) {
throw new AuthenticationException('Invalid CSRF token');
}
}

$tokenStruct = $this->authenticationApi
Expand Down