880900 - Add CSRF token support to sso-ux.js

Status: RESOLVED FIXED

(Webmaker Graveyard :: Login, defect)

Description

[Jon Buckley [:jbuck]]

From bug 878963, we need to add support for CSRF tokens to sso-ux.js.

The way to do this is to look for a <meta name="csrf-token"> element (or some agreed-upon standard <meta> tag). Then when sending an XHR to the local server, Add the X-CSRF-Token header with has the value of the <meta> tag.

Comment 1

[Matthew Schranz [:mjschranz]]

Attachment: https://github.com/mozilla/login.webmaker.org/pull/91

The major question is, do I need to add the token for all post requests (including the ones being sent to the login server related to users)?

Comment 2

[Jon Buckley [:jbuck]]

Comment on attachment 760023 [details] [review]
https://github.com/mozilla/login.webmaker.org/pull/91

r+ with nits noted in the PR.

This won't work for creating new users though, since we don't have a CSRF token from the login server to send with that request. I think we need to restructure process so creating new users goes through the local server, not directly to the loginapi.

This should work well enough for popcorn, thimble and webmaker.org though!

Comment 3

[Matthew Schranz [:mjschranz]]

Maybe I'm reading the code wrong but it looks to me like it's doing that already. If you look at the script that's included on pages it's posting to whatever HOSTNAME was set to in the login server ENV. Pretty sure it is not using the loginapi.

In any case, yay.

Comment 4

[[github robot]]

Commit pushed to master at https://github.com/mozilla/login.webmaker.org

https://github.com/mozilla/login.webmaker.org/commit/21de6c646933d37d6b04197f8c64b9c52c304220
Fix Bug 880900 - Add CSRF Token support to SSO requests