880894 - Implement CSRF protection for MakeAPI

Status: RESOLVED FIXED

(Webmaker Graveyard :: MakeAPI, defect)

Comment 1

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/MakeAPI/pull/81

This patch adds the express.csrf() middleware to routes that use our Webmaker SSO to make authenticated API calls. ( The Login/Admin pages )

I added the option for a csrf token in the Make API client code so that it can be applied to the header of requests.

Regular routes that are used by our trusted apps and through basic authentication do not need csrf protection since they can't be loaded into an iframe and abused by an attacker. Also, searching doesn't change the state of the session/database and thus does not need CSRF protection either.

Comment 2

[Jon Buckley [:jbuck]]

Comment on attachment 760395 [details] [review]
https://github.com/mozilla/MakeAPI/pull/81

r+ with nits, I think you can delete the reference to the CSRF token in the node strategy.

Comment 3

[[github robot]]

Commit pushed to master at https://github.com/mozilla/MakeAPI

https://github.com/mozilla/MakeAPI/commit/673b62980eff38522fdc870d8bc0994dd300de3f
Fix Bug 880894 - Add CSRF middleware to protect vulnerable admin routes and paths

Comment 4

[Jeffery hill Sr]

I,m the only user Jeffery hill Sr of 2300 so caraway rd rm 207 Jonesboro AR 72401 3134559189,Jefferyhill835@yahoo.com,ho