[backend] fix(security): add csrf token management (#1785)

Author: gabriel-peze

openaev-api/src/main/java/io/openaev/config/AppSecurityConfig.java

@@ -51,6 +51,8 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 
 @Configuration
@@ -72,7 +74,21 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     http.addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
         .requestCache(Customizer.withDefaults())
         .requestCache(cache -> cache.requestCache(new HttpSessionRequestCache()))
-        .csrf(AbstractHttpConfigurer::disable)
+        .csrf(
+            csrf ->
+                csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                    .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
+                    .ignoringRequestMatchers(
+                        "/api/health",
+                        "/api/comcheck/**",
+                        "/api/player/**",
+                        "/api/settings",
+                        "/api/agent/**",
+                        "/api/implant/**",
+                        "/api/login",
+                        "/api/reset/**",
+                        "/api/**",
+                        "/actuator/**"))
         .formLogin(AbstractHttpConfigurer::disable)
         .securityContext(securityContext -> securityContext.requireExplicitSave(false))
         .authorizeHttpRequests(