stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	7390cac2cc	fix(#338 ): Bind CSRF token to user session with HMAC - Token now includes HMAC binding to session ID - Validates session binding on verification - Adds CSRF_SECRET configuration requirement - Requires authentication for CSRF token endpoint - 51 new tests covering session binding security Security: CSRF tokens are now cryptographically tied to user sessions, preventing token reuse across sessions and mitigating session fixation attacks. Token format: {random_part}:{hmac(random_part + user_id, secret)} Refs #338 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-05 16:33:22 -06:00
Jason Woltje	ebd842f007	fix(#278 ): Implement CSRF protection using double-submit cookie pattern Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Implemented comprehensive CSRF protection for all state-changing endpoints (POST, PATCH, DELETE) using the double-submit cookie pattern. Security Implementation: - Created CsrfGuard using double-submit cookie validation - Token set in httpOnly cookie and validated against X-CSRF-Token header - Applied guard to FederationController (vulnerable endpoints) - Safe HTTP methods (GET, HEAD, OPTIONS) automatically exempted - Signature-based endpoints (@SkipCsrf decorator) exempted Components Added: - CsrfGuard: Validates cookie and header token match - CsrfController: GET /api/v1/csrf/token endpoint for token generation - @SkipCsrf(): Decorator to exempt endpoints with alternative auth - Comprehensive tests (20 tests, all passing) Protected Endpoints: - POST /api/v1/federation/connections/initiate - POST /api/v1/federation/connections/:id/accept - POST /api/v1/federation/connections/:id/reject - POST /api/v1/federation/connections/:id/disconnect - POST /api/v1/federation/instance/regenerate-keys Exempted Endpoints: - POST /api/v1/federation/incoming/connect (signature-verified) - GET requests (safe methods) Security Features: - httpOnly cookies prevent XSS attacks - SameSite=strict prevents subdomain attacks - Cryptographically secure random tokens (32 bytes) - 24-hour token expiry - Structured logging for security events Testing: - 14 guard tests covering all scenarios - 6 controller tests for token generation - Quality gates: lint, typecheck, build all passing Note: Frontend integration required to use tokens. Clients must: 1. GET /api/v1/csrf/token to receive token 2. Include token in X-CSRF-Token header for state-changing requests Fixes #278 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-03 20:35:00 -06:00

Author

SHA1

Message

Date

Jason Woltje

7390cac2cc

fix(#338 ): Bind CSRF token to user session with HMAC

- Token now includes HMAC binding to session ID
- Validates session binding on verification
- Adds CSRF_SECRET configuration requirement
- Requires authentication for CSRF token endpoint
- 51 new tests covering session binding security

Security: CSRF tokens are now cryptographically tied to user sessions,
preventing token reuse across sessions and mitigating session fixation
attacks.

Token format: {random_part}:{hmac(random_part + user_id, secret)}

Refs #338

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-05 16:33:22 -06:00

Jason Woltje

ebd842f007

fix(#278 ): Implement CSRF protection using double-submit cookie pattern

ci/woodpecker/push/woodpecker Pipeline failed

Details

Implemented comprehensive CSRF protection for all state-changing endpoints
(POST, PATCH, DELETE) using the double-submit cookie pattern.

Security Implementation:
- Created CsrfGuard using double-submit cookie validation
- Token set in httpOnly cookie and validated against X-CSRF-Token header
- Applied guard to FederationController (vulnerable endpoints)
- Safe HTTP methods (GET, HEAD, OPTIONS) automatically exempted
- Signature-based endpoints (@SkipCsrf decorator) exempted

Components Added:
- CsrfGuard: Validates cookie and header token match
- CsrfController: GET /api/v1/csrf/token endpoint for token generation
- @SkipCsrf(): Decorator to exempt endpoints with alternative auth
- Comprehensive tests (20 tests, all passing)

Protected Endpoints:
- POST /api/v1/federation/connections/initiate
- POST /api/v1/federation/connections/:id/accept
- POST /api/v1/federation/connections/:id/reject
- POST /api/v1/federation/connections/:id/disconnect
- POST /api/v1/federation/instance/regenerate-keys

Exempted Endpoints:
- POST /api/v1/federation/incoming/connect (signature-verified)
- GET requests (safe methods)

Security Features:
- httpOnly cookies prevent XSS attacks
- SameSite=strict prevents subdomain attacks
- Cryptographically secure random tokens (32 bytes)
- 24-hour token expiry
- Structured logging for security events

Testing:
- 14 guard tests covering all scenarios
- 6 controller tests for token generation
- Quality gates: lint, typecheck, build all passing

Note: Frontend integration required to use tokens. Clients must:
1. GET /api/v1/csrf/token to receive token
2. Include token in X-CSRF-Token header for state-changing requests

Fixes #278

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-03 20:35:00 -06:00

2 Commits