Merge pull request #79 from willemvermeer/master

adamw · web-flow · commit c4c82275daee · 2021-01-07T08:20:33.000+01:00
hmac encoded csrf token
diff --git a/core/src/main/java/com/softwaremill/session/javadsl/CsrfDirectives.scala b/core/src/main/java/com/softwaremill/session/javadsl/CsrfDirectives.scala
@@ -11,12 +11,18 @@ import com.softwaremill.session.CsrfCheckMode
  */
 trait CsrfDirectives {
 
-  def randomTokenCsrfProtection[T](checkMode: CsrfCheckMode[T], inner: Supplier[Route]): Route = RouteAdapter {
-    com.softwaremill.session.CsrfDirectives.randomTokenCsrfProtection(checkMode) {
+  def hmacTokenCsrfProtection[T](checkMode: CsrfCheckMode[T], inner: Supplier[Route]): Route = RouteAdapter {
+    com.softwaremill.session.CsrfDirectives.hmacTokenCsrfProtection(checkMode) {
       inner.get.asInstanceOf[RouteAdapter].delegate
     }
   }
 
+  /**
+    * @deprecated as of release 0.6.1, replaced by {@link #hmacTokensCsrfProtection()}
+    */
+  def randomTokenCsrfProtection[T](checkMode: CsrfCheckMode[T], inner: Supplier[Route]): Route =
+    hmacTokenCsrfProtection(checkMode, inner)
+
   def setNewCsrfToken[T](checkMode: CsrfCheckMode[T], inner: Supplier[Route]): Route = RouteAdapter {
     com.softwaremill.session.CsrfDirectives.setNewCsrfToken(checkMode) {
       inner.get.asInstanceOf[RouteAdapter].delegate
diff --git a/core/src/main/scala/com/softwaremill/session/CsrfDirectives.scala b/core/src/main/scala/com/softwaremill/session/CsrfDirectives.scala
@@ -1,7 +1,7 @@
 package com.softwaremill.session
 
 import akka.http.scaladsl.server.Directives._
-import akka.http.scaladsl.server.{Directive0, Directive1}
+import akka.http.scaladsl.server.{ Directive0, Directive1 }
 import akka.stream.Materializer
 
 trait CsrfDirectives {
@@ -11,19 +11,23 @@ trait CsrfDirectives {
     * doesn't have the token set in the header. For all other requests, the value of the token from the CSRF cookie must
     * match the value in the custom header (or request body, if `checkFormBody` is `true`).
     *
+    * The cookie value is the concatenation of a timestamp and its HMAC hash following the OWASP recommendation for
+    * CSRF prevention:
+    * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#hmac-based-token-pattern">OWASP</a>
+    *
     * Note that this scheme can be broken when not all subdomains are protected or not using HTTPS and secure cookies,
     * and the token is placed in the request body (not in the header).
     *
     * See the documentation for more details.
     */
-  def randomTokenCsrfProtection[T](checkMode: CsrfCheckMode[T]): Directive0 = {
+  def hmacTokenCsrfProtection[T](checkMode: CsrfCheckMode[T]): Directive0 = {
     csrfTokenFromCookie(checkMode).flatMap {
       case Some(cookie) =>
         // if a cookie is already set, we let through all get requests (without setting a new token), or validate
         // that the token matches.
         get.recover { _ =>
           submittedCsrfToken(checkMode).flatMap { submitted =>
-            if (submitted == cookie && !cookie.isEmpty) {
+            if (submitted == cookie && !cookie.isEmpty && checkMode.csrfManager.validateToken(cookie)) {
               pass
             } else {
               reject(checkMode.csrfManager.tokenInvalidRejection).toDirective[Unit]
@@ -36,6 +40,9 @@ trait CsrfDirectives {
     }
   }
 
+  @deprecated("use hmacTokenCsrfProtection", "0.6.1")
+  def randomTokenCsrfProtection[T](checkMode: CsrfCheckMode[T]): Directive0 = hmacTokenCsrfProtection(checkMode)
+
   def submittedCsrfToken[T](checkMode: CsrfCheckMode[T]): Directive1[String] = {
     headerValueByName(checkMode.manager.config.csrfSubmittedName).recover { rejections =>
       checkMode match {
diff --git a/core/src/main/scala/com/softwaremill/session/SessionManager.scala b/core/src/main/scala/com/softwaremill/session/SessionManager.scala
@@ -1,14 +1,15 @@
 package com.softwaremill.session
 
 import java.util.concurrent.TimeUnit
-
 import akka.http.scaladsl.server.AuthorizationFailedRejection
 
 import scala.concurrent.duration.Duration
 import scala.concurrent.{ExecutionContext, Future}
 
 import akka.http.scaladsl.model.headers.{RawHeader, HttpCookie}
 
+import scala.util.Try
+
 class SessionManager[T](val config: SessionConfig)(implicit sessionEncoder: SessionEncoder[T]) { manager =>
 
   val clientSessionManager: ClientSessionManager[T] = new ClientSessionManager[T] {
@@ -19,6 +20,7 @@ class SessionManager[T](val config: SessionConfig)(implicit sessionEncoder: Sess
 
   val csrfManager: CsrfManager[T] = new CsrfManager[T] {
     override def config = manager.config
+    override def nowMillis = manager.nowMillis
   }
 
   def createRefreshTokenManager(_storage: RefreshTokenStorage[T]): RefreshTokenManager[T] = new RefreshTokenManager[T] {
@@ -82,9 +84,27 @@ trait ClientSessionManager[T] {
 
 trait CsrfManager[T] {
   def config: SessionConfig
+  def nowMillis: Long
 
   def tokenInvalidRejection = AuthorizationFailedRejection
-  def createToken(): String = SessionUtil.randomString(64)
+
+  def createToken(): String = {
+    val millis = nowMillis.toString
+    val hmac = generateHmac(millis)
+    encodeToken(millis, hmac)
+  }
+  def validateToken(token: String): Boolean =
+    token.nonEmpty &&
+      decodeToken(token).fold(
+        _ => false,
+        { case (millis, hmac) => SessionUtil.constantTimeEquals(hmac, generateHmac(millis)) }
+      )
+  private def encodeToken(millis: String, hmac: String): String = s"$millis-$hmac"
+  private def decodeToken(token: String): Try[(String, String)] = Try {
+    val splitted = token.split("-", 2)
+    (splitted(0), splitted(1))
+  }
+  private def generateHmac(t: String): String = Crypto.sign_HmacSHA256_base64_v0_5_2(t, config.serverSecret)
 
   def createCookie() =
     HttpCookie(
diff --git a/core/src/test/scala/com/softwaremill/session/CsrfDirectivesTest.scala b/core/src/test/scala/com/softwaremill/session/CsrfDirectivesTest.scala
@@ -18,7 +18,7 @@ class CsrfDirectivesTest extends AnyFlatSpec with ScalatestRouteTest with Matche
   implicit val csrfCheckMode = checkHeader
 
   def routes[T](implicit manager: SessionManager[T], checkMode: CsrfCheckMode[T]) =
-    randomTokenCsrfProtection(checkMode) {
+    hmacTokenCsrfProtection(checkMode) {
       get {
         path("site") {
           complete {
@@ -97,6 +97,35 @@ class CsrfDirectivesTest extends AnyFlatSpec with ScalatestRouteTest with Matche
     }
   }
 
+  it should "reject requests if the csrf cookie and the header contain illegal value" in {
+    Get("/site") ~> routes ~> check {
+      responseAs[String] should be("ok")
+
+      Post("/transfer_money") ~>
+        addHeader(Cookie(cookieName, "x")) ~>
+        addHeader(sessionConfig.csrfSubmittedName, "x") ~>
+        routes ~>
+        check {
+          rejections should be(List(AuthorizationFailedRejection))
+        }
+    }
+  }
+
+  it should "reject requests if the csrf cookie and the header contain structurally correct but incorrectly hashed value" in {
+    Get("/site") ~> routes ~> check {
+      responseAs[String] should be("ok")
+
+      val wrong = s"wrong${System.currentTimeMillis()}"
+      Post("/transfer_money") ~>
+        addHeader(Cookie(cookieName, wrong)) ~>
+        addHeader(sessionConfig.csrfSubmittedName, wrong) ~>
+        routes ~>
+        check {
+          rejections should be(List(AuthorizationFailedRejection))
+        }
+    }
+  }
+
   it should "accept requests if the csrf cookie matches the header value" in {
     Get("/site") ~> routes ~> check {
       responseAs[String] should be("ok")
diff --git a/example/src/main/scala/com/softwaremill/example/ScalaExample.scala b/example/src/main/scala/com/softwaremill/example/ScalaExample.scala
@@ -37,7 +37,7 @@ object Example extends App with StrictLogging {
     path("") {
       redirect("/site/index.html", Found)
     } ~
-      randomTokenCsrfProtection(checkHeader) {
+      hmacTokenCsrfProtection(checkHeader) {
         pathPrefix("api") {
           path("do_login") {
             post {
diff --git a/example/src/main/scala/com/softwaremill/example/session/SetSessionScala.scala b/example/src/main/scala/com/softwaremill/example/session/SetSessionScala.scala
@@ -32,7 +32,7 @@ object SetSessionScala extends App with StrictLogging {
   val myInvalidateSession = invalidateSession(refreshable, usingCookies)
 
   val routes =
-    randomTokenCsrfProtection(checkHeader) {
+    hmacTokenCsrfProtection(checkHeader) {
       pathPrefix("api") {
         path("do_login") {
           post {
