feat(oauth2): integrate @csrf-armor/nextjs for consent flow CSRF protection

Adds signed-double-submit CSRF protection to all three Next.js example
apps using @csrf-armor/nextjs. The middleware composes with the existing
Ory middleware, skipping CSRF validation for Ory-proxied paths.

Also adds session identity validation to the nextjs-app-router consent
API route to match the pattern already used in the other two examples.

Author: Jorgagu

examples/nextjs-app-router-custom-components/.env

@@ -3,3 +3,6 @@ NEXT_PUBLIC_ORY_SDK_URL=https://nervous-lewin-4edwdlsbyw.projects.oryapis.com
 
 # Set the API Token for support of SAML and OIDC.
 ORY_PROJECT_API_TOKEN=
+
+# Secret key for CSRF token signing (replace with a secure random value in production)
+CSRF_SECRET=change-me-to-a-32-char-secret!!

examples/nextjs-app-router-custom-components/app/auth/consent/page.tsx

@@ -7,6 +7,7 @@ import {
   getServerSession,
   OryPageParams,
 } from "@ory/nextjs/app"
+import { cookies } from "next/headers"
 
 import { myCustomComponents } from "@/components"
 import config from "@/ory.config"
@@ -19,12 +20,15 @@ export default async function ConsentPage(props: OryPageParams) {
     return null
   }
 
+  const cookieStore = await cookies()
+  const csrfToken = cookieStore.get("csrf-token")?.value ?? ""
+
   return (
     <Consent
       consentChallenge={consentRequest}
       session={session}
       config={config}
-      csrfToken=""
+      csrfToken={csrfToken}
       formActionUrl="/api/consent"
       components={myCustomComponents}
     />

examples/nextjs-app-router-custom-components/middleware.ts

@@ -1,11 +1,52 @@
 // Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
+import { createCsrfMiddleware } from "@csrf-armor/nextjs"
 import { createOryMiddleware } from "@ory/nextjs/middleware"
+import { NextRequest, NextResponse } from "next/server"
+
 import oryConfig from "@/ory.config"
 
-// This function can be marked `async` if using `await` inside
-export const middleware = createOryMiddleware(oryConfig)
+const oryMiddleware = createOryMiddleware(oryConfig)
+
+const csrfProtect = createCsrfMiddleware({
+  strategy: "signed-double-submit",
+  secret: process.env.CSRF_SECRET,
+  cookie: {
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    httpOnly: false,
+  },
+  token: { fieldName: "csrf_token" },
+  excludePaths: ["/self-service", "/sessions", "/.well-known", "/.ory"],
+})
+
+const oryPathPrefixes = [
+  "/self-service/",
+  "/sessions/",
+  "/.well-known/",
+  "/.ory/",
+]
+
+export async function middleware(request: NextRequest) {
+  const oryResponse = await oryMiddleware(request)
+
+  const isOryPath = oryPathPrefixes.some((prefix) =>
+    request.nextUrl.pathname.startsWith(prefix),
+  )
+  if (isOryPath) {
+    return oryResponse
+  }
+
+  const response = NextResponse.next()
+  const result = await csrfProtect(request, response)
+  if (!result.success) {
+    return NextResponse.json(
+      { error: "CSRF validation failed" },
+      { status: 403 },
+    )
+  }
+  return response
+}
 
-// See "Matching Paths" below to learn more
 export const config = {}

examples/nextjs-app-router-custom-components/package.json

@@ -9,6 +9,7 @@
     "lint": "next lint"
   },
   "dependencies": {
+    "@csrf-armor/nextjs": "^1.4.1",
     "@ory/client-fetch": "1.22.22",
     "@ory/elements-react": "*",
     "@ory/nextjs": "*",

examples/nextjs-app-router/.env

@@ -3,3 +3,6 @@ NEXT_PUBLIC_ORY_SDK_URL=https://nervous-lewin-4edwdlsbyw.projects.oryapis.com
 
 # Set the API Token for support of SAML and OIDC.
 ORY_PROJECT_API_TOKEN=
+
+# Secret key for CSRF token signing (replace with a secure random value in production)
+CSRF_SECRET=change-me-to-a-32-char-secret!!

examples/nextjs-app-router/app/api/consent/route.ts

@@ -1,7 +1,11 @@
 // Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { acceptConsentRequest, rejectConsentRequest } from "@ory/nextjs/app"
+import {
+  acceptConsentRequest,
+  getServerSession,
+  rejectConsentRequest,
+} from "@ory/nextjs/app"
 import { NextResponse } from "next/server"
 
 interface ConsentBody {
@@ -40,6 +44,24 @@ async function parseRequest(request: Request): Promise<ConsentBody> {
 }
 
 export async function POST(request: Request) {
+  const session = await getServerSession()
+  if (!session) {
+    console.error("Consent security: No session found")
+    return NextResponse.json(
+      { error: "unauthorized", error_description: "No session" },
+      { status: 401 },
+    )
+  }
+
+  const identityId = session.identity?.id
+  if (!identityId) {
+    console.error("Consent security: Session has no identity ID")
+    return NextResponse.json(
+      { error: "unauthorized", error_description: "Invalid session" },
+      { status: 401 },
+    )
+  }
+
   const body = await parseRequest(request)
 
   const action = body.action
@@ -68,14 +90,31 @@ export async function POST(request: Request) {
       redirectTo = await acceptConsentRequest(consentChallenge, {
         grantScope,
         remember,
+        identityId,
       })
     } else {
-      redirectTo = await rejectConsentRequest(consentChallenge)
+      redirectTo = await rejectConsentRequest(consentChallenge, {
+        identityId,
+      })
     }
 
     return NextResponse.json({ redirect_to: redirectTo })
   } catch (error) {
     console.error("Consent error:", error)
+
+    if (
+      error instanceof Error &&
+      error.message.includes("does not match consent request subject")
+    ) {
+      return NextResponse.json(
+        {
+          error: "forbidden",
+          error_description: "Session does not match consent request subject",
+        },
+        { status: 403 },
+      )
+    }
+
     return NextResponse.json(
       { error: "server_error", error_description: "Failed to process consent" },
       { status: 500 },

examples/nextjs-app-router/app/auth/consent/page.tsx

@@ -7,6 +7,7 @@ import {
   getServerSession,
   OryPageParams,
 } from "@ory/nextjs/app"
+import { cookies } from "next/headers"
 
 import config from "@/ory.config"
 
@@ -18,12 +19,15 @@ export default async function ConsentPage(props: OryPageParams) {
     return null
   }
 
+  const cookieStore = await cookies()
+  const csrfToken = cookieStore.get("csrf-token")?.value ?? ""
+
   return (
     <Consent
       consentChallenge={consentRequest}
       session={session}
       config={config}
-      csrfToken=""
+      csrfToken={csrfToken}
       formActionUrl="/api/consent"
       components={{
         Card: {},

examples/nextjs-app-router/middleware.ts

@@ -1,11 +1,52 @@
 // Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
+import { createCsrfMiddleware } from "@csrf-armor/nextjs"
 import { createOryMiddleware } from "@ory/nextjs/middleware"
+import { NextRequest, NextResponse } from "next/server"
+
 import oryConfig from "@/ory.config"
 
-// This function can be marked `async` if using `await` inside
-export const middleware = createOryMiddleware(oryConfig)
+const oryMiddleware = createOryMiddleware(oryConfig)
+
+const csrfProtect = createCsrfMiddleware({
+  strategy: "signed-double-submit",
+  secret: process.env.CSRF_SECRET,
+  cookie: {
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    httpOnly: false,
+  },
+  token: { fieldName: "csrf_token" },
+  excludePaths: ["/self-service", "/sessions", "/.well-known", "/.ory"],
+})
+
+const oryPathPrefixes = [
+  "/self-service/",
+  "/sessions/",
+  "/.well-known/",
+  "/.ory/",
+]
+
+export async function middleware(request: NextRequest) {
+  const oryResponse = await oryMiddleware(request)
+
+  const isOryPath = oryPathPrefixes.some((prefix) =>
+    request.nextUrl.pathname.startsWith(prefix),
+  )
+  if (isOryPath) {
+    return oryResponse
+  }
+
+  const response = NextResponse.next()
+  const result = await csrfProtect(request, response)
+  if (!result.success) {
+    return NextResponse.json(
+      { error: "CSRF validation failed" },
+      { status: 403 },
+    )
+  }
+  return response
+}
 
-// See "Matching Paths" below to learn more
 export const config = {}

examples/nextjs-app-router/package.json

@@ -9,8 +9,9 @@
     "lint": "next lint"
   },
   "dependencies": {
-    "@ory/nextjs": "*",
+    "@csrf-armor/nextjs": "^1.4.1",
     "@ory/elements-react": "*",
+    "@ory/nextjs": "*",
     "next": "15.5.9",
     "react": "^18",
     "react-dom": "^18"

examples/nextjs-pages-router/.env

@@ -3,3 +3,6 @@ NEXT_PUBLIC_ORY_SDK_URL=https://nervous-lewin-4edwdlsbyw.projects.oryapis.com
 
 # Set the API Token for support of SAML and OIDC.
 ORY_PROJECT_API_TOKEN=
+
+# Secret key for CSRF token signing (replace with a secure random value in production)
+CSRF_SECRET=change-me-to-a-32-char-secret!!