[backend] fix(security): add csrf token management (#1785)

openaev-api/src/main/java/io/openaev/config/AppSecurityConfig.java

@@ -14,13 +14,15 @@
 import io.openaev.service.UserMappingService;
 import io.openaev.service.user_events.UserEventService;
 import jakarta.annotation.Resource;
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -42,7 +44,10 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 @Configuration
 @EnableWebSecurity
@@ -63,7 +68,12 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     http.addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
         .requestCache(Customizer.withDefaults())
         .requestCache(cache -> cache.requestCache(new HttpSessionRequestCache()))
-        .csrf(AbstractHttpConfigurer::disable)
+        .csrf(
+            csrf ->
+                csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                    .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
+                    .ignoringRequestMatchers("/api/health", "/api/login", "/actuator/**")
+                    .ignoringRequestMatchers(bearerWithoutCookiesMatcher()))
         .formLogin(AbstractHttpConfigurer::disable)
         .securityContext(securityContext -> securityContext.requireExplicitSave(false))
         .authorizeHttpRequests(
@@ -227,4 +237,14 @@ private OAuth2AuthorizationRequest customize(
       }
     };
   }
+
+  private RequestMatcher bearerWithoutCookiesMatcher() {
+    return request -> {
+      String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
+      Cookie[] cookies = request.getCookies();
+      boolean hasBearer = authorization != null && authorization.startsWith("Bearer ");
+      boolean hasCookies = cookies != null && cookies.length > 0;
+      return hasBearer && !hasCookies;
+    };
+  }
 }

openaev-api/src/test/java/io/openaev/api/custom_dashboard/CustomDashboardApiExporterTest.java

@@ -10,6 +10,7 @@
 import static io.openaev.utilstest.ZipUtils.convertToJson;
 import static io.openaev.utilstest.ZipUtils.extractAllFilesFromZip;
 import static org.junit.jupiter.api.Assertions.*;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -60,7 +61,8 @@ void export_custom_dashboard_with_include_returns_custom_dashboard_with_relation
     // -- EXECUTE --
     byte[] response =
         mockMvc
-            .perform(get(CUSTOM_DASHBOARDS_URI + "/" + wrapper.get().getId() + "/export"))
+            .perform(
+                get(CUSTOM_DASHBOARDS_URI + "/" + wrapper.get().getId() + "/export").with(csrf()))
             .andExpect(status().is2xxSuccessful())
             .andReturn()
             .getResponse()

openaev-api/src/test/java/io/openaev/api/custom_dashboard/CustomDashboardApiImporterTest.java

@@ -6,6 +6,7 @@
 import static java.util.Collections.emptyMap;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.multipart;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -52,7 +53,7 @@ void import_custom_dashboard_with_include_returns_custom_dashboard_with_relation
     // -- EXECUTE --
     String response =
         mockMvc
-            .perform(multipart(CUSTOM_DASHBOARDS_URI + "/import").file(zipFile))
+            .perform(multipart(CUSTOM_DASHBOARDS_URI + "/import").file(zipFile).with(csrf()))
             .andExpect(status().is2xxSuccessful())
             .andReturn()
             .getResponse()