Merge pull request springfox#2639 from olOwOlo/optional-csrf-support

dilipkrish · web-flow · commit e4378b881686 · 2019-08-03T13:30:22.000-05:00
Make csrf support optional fixes springfox#2578
diff --git a/springfox-spring-config/src/main/java/springfox/springconfig/Swagger2SpringBoot.java b/springfox-spring-config/src/main/java/springfox/springconfig/Swagger2SpringBoot.java
@@ -140,6 +140,7 @@ SecurityConfiguration security() {
         .scopeSeparator(",")
         .additionalQueryStringParams(null)
         .useBasicAuthenticationWithAccessCodeGrant(false)
+        .enableCsrfSupport(false)
         .build();
   }
 
diff --git a/springfox-swagger-common/src/main/java/springfox/documentation/swagger/web/SecurityConfiguration.java b/springfox-swagger-common/src/main/java/springfox/documentation/swagger/web/SecurityConfiguration.java
@@ -59,6 +59,10 @@ public class SecurityConfiguration {
   private final String scopeSeparator;
   private final Map<String, Object> additionalQueryStringParams;
   private final Boolean useBasicAuthenticationWithAccessCodeGrant;
+  /*--------------------------------------------*\
+   * CSRF
+  \*--------------------------------------------*/
+  private final Boolean enableCsrfSupport;
 
   /**
    * @deprecated @since 2.8.0. Use the {@link SecurityConfigurationBuilder} instead
@@ -102,6 +106,7 @@ public SecurityConfiguration(
 
     this.additionalQueryStringParams = null;
     this.useBasicAuthenticationWithAccessCodeGrant = null;
+    this.enableCsrfSupport = null;
   }
 
   /**
@@ -121,6 +126,7 @@ public SecurityConfiguration(
    *                                                  Password using the HTTP Basic Authentication scheme (Authorization
    *                                                  header with Basic base64encoded[client_id:client_secret]). The
    *                                                  default is false.
+   * @param enableCsrfSupport                         Enable csrf support, default is false.
    */
   public SecurityConfiguration(
       String clientId,
@@ -129,14 +135,16 @@ public SecurityConfiguration(
       String appName,
       String scopeSeparator,
       Map<String, Object> additionalQueryStringParams,
-      Boolean useBasicAuthenticationWithAccessCodeGrant) {
+      Boolean useBasicAuthenticationWithAccessCodeGrant,
+      Boolean enableCsrfSupport) {
     this.clientId = clientId;
     this.clientSecret = clientSecret;
     this.realm = realm;
     this.appName = appName;
     this.scopeSeparator = scopeSeparator;
     this.additionalQueryStringParams = additionalQueryStringParams;
     this.useBasicAuthenticationWithAccessCodeGrant = useBasicAuthenticationWithAccessCodeGrant;
+    this.enableCsrfSupport = enableCsrfSupport;
   }
 
   /**
@@ -206,4 +214,9 @@ public Map<String, Object> getAdditionalQueryStringParams() {
   public Boolean getUseBasicAuthenticationWithAccessCodeGrant() {
     return useBasicAuthenticationWithAccessCodeGrant;
   }
+
+  @JsonProperty("enableCsrfSupport")
+  public Boolean getEnableCsrfSupport() {
+    return enableCsrfSupport;
+  }
 }
diff --git a/springfox-swagger-common/src/main/java/springfox/documentation/swagger/web/SecurityConfigurationBuilder.java b/springfox-swagger-common/src/main/java/springfox/documentation/swagger/web/SecurityConfigurationBuilder.java
@@ -34,6 +34,7 @@ public class SecurityConfigurationBuilder {
   private String scopeSeparator;
   private Map<String, Object> additionalQueryStringParams;
   private Boolean useBasicAuthenticationWithAccessCodeGrant;
+  private Boolean enableCsrfSupport;
 
   private SecurityConfigurationBuilder() {
   }
@@ -50,7 +51,8 @@ public SecurityConfiguration build() {
         defaultIfAbsent(appName, null),
         defaultIfAbsent(scopeSeparator, null),
         defaultIfAbsent(additionalQueryStringParams, null),
-        defaultIfAbsent(useBasicAuthenticationWithAccessCodeGrant, null)
+        defaultIfAbsent(useBasicAuthenticationWithAccessCodeGrant, null),
+        defaultIfAbsent(enableCsrfSupport, null)
     );
   }
 
@@ -122,4 +124,13 @@ public SecurityConfigurationBuilder useBasicAuthenticationWithAccessCodeGrant(
     this.useBasicAuthenticationWithAccessCodeGrant = useBasicAuthenticationWithAccessCodeGrant;
     return this;
   }
+
+  /**
+   * @param enableCsrfSupport Try to find csrf token and add it to the header of all requests by patching the requestInterceptor.
+   * @return this
+   */
+  public SecurityConfigurationBuilder enableCsrfSupport(Boolean enableCsrfSupport) {
+    this.enableCsrfSupport = enableCsrfSupport;
+    return this;
+  }
 }
diff --git a/springfox-swagger-common/src/test/groovy/springfox/documentation/swagger/web/ApiResourceControllerSpec.groovy b/springfox-swagger-common/src/test/groovy/springfox/documentation/swagger/web/ApiResourceControllerSpec.groovy
@@ -43,7 +43,8 @@ class ApiResourceControllerSpec extends Specification {
     "appName": "test",
     "scopeSeparator": ",",
     "additionalQueryStringParams": {"string":"value","boolean":true,"int":1},
-    "useBasicAuthenticationWithAccessCodeGrant": false
+    "useBasicAuthenticationWithAccessCodeGrant": false,
+    "enableCsrfSupport": true
 }"""
   def ui = """{
     "apisSorter":"alpha",
@@ -93,6 +94,7 @@ class ApiResourceControllerSpec extends Specification {
           .scopeSeparator(",")
           .additionalQueryStringParams(['string': 'value', 'boolean': true, 'int': 1])
           .useBasicAuthenticationWithAccessCodeGrant(false)
+          .enableCsrfSupport(true)
           .build()
       uiConfiguration = UiConfigurationBuilder.builder()
           .deepLinking(true)
diff --git a/springfox-swagger-ui/src/web/js/springfox.js b/springfox-swagger-ui/src/web/js/springfox.js
@@ -107,6 +107,12 @@ window.onload = () => {
       \*--------------------------------------------*/
       modelPropertyMacro: null,
       parameterMacro: null,
+      /*--------------------------------------------*\
+       * Custom configs
+      \*--------------------------------------------*/
+      custom: {
+        enableCsrfSupport: configSecurity.enableCsrfSupport,
+      },
     });
 
     ui.initOAuth({
@@ -133,7 +139,9 @@ window.onload = () => {
   /* Entry Point */
   (async () => {
     await buildSystemAsync(getBaseURL());
-    await csrfSupport(getBaseURL());
+    if (window.ui.getConfigs().custom.enableCsrfSupport) {
+      await csrfSupport(getBaseURL());
+    }
   })();
 
 };

Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,7 @@ SecurityConfiguration security() {`
`140`	`140`	`.scopeSeparator(",")`
`141`	`141`	`.additionalQueryStringParams(null)`
`142`	`142`	`.useBasicAuthenticationWithAccessCodeGrant(false)`
	`143`	`+ .enableCsrfSupport(false)`
`143`	`144`	`.build();`
`144`	`145`	`}`
`145`	`146`