Disable CSRF for some paths about kraken-js HOT 19 CLOSED

I'm no @jeffharrell, however ...

If you check out the options meddleware accepts, you'll find this:

• route (string, optional) - An express route against which the middleware should be registered.

Basically, all that meddleware does there is app.use(yourRoute, yourMiddleware) (with some fancy route resolution to support nested apps and stuff—check out the source if you want to find out more about that).

So, assuming you want csrf only on routes under /protect, you could add a config/config.json with the following:

{
    "middleware": {
        "appsec": {
            "priority": 110,
            "module": {
                "name": "lusca",
                "arguments": [
                    {
                        "csrf": false,
                        "xframe": "SAMEORIGIN",
                        "p3p": false,
                        "csp": false
                    }
                ]
            }
        },
        "appsecprotect": {
            "route": "/protect",
            "enabled": true,
            "priority": 111,
            "module": {
                "name": "lusca",
                "arguments": [
                    {
                        "csrf": true
                    }
                ]
            }
        }
    }
}

A quick explanation:
The appsec section is to turn off the default action by kraken to enable csrf. The appsecprotect section is to turn it back on only for routes that begin with /protect.

You can see this working here. Spin up that server and, hit /anything and it'll return 'unknown'. Hit '/protect' and it'll show you the token.

from kraken-js.

Right now it's all or nothing. This is an interesting requirement though. Let me see what I can do when I'm back from node summit.

-- Jeff

On Dec 4, 2013, at 6:44 AM, "Cristiano Betta" <[email protected]mailto:[email protected]> wrote:

Part of my app is an API. How do I disable CSRF for this and only this action?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/46.

from kraken-js.

@jeffharrell yeah. Would also like to see how this exactly is supposed to integrate into clientside JS posts. Or is that taken care of already?

from kraken-js.

Client-side posts done through JavaScript would just need to pass the _csrf value as a body param when CSRF is enabled. This value comes back in the page model, so it could either be injected into the JavaScript or pulled from the page via JavaScript when the page is rendered.

from kraken-js.

Closing as it doesn't belong in this repo.

from kraken-js.

Any idea when this feature is going to be release?

from kraken-js.

Would love to know when this feature is going to be released.

from kraken-js.

This is now possible using Kraken 1.0's meddleware config and setting the routes property on lusca/csrf.

from kraken-js.

@jeffharrell Can you give a quick example of disabling CSRF for a specific route in the meddleware config?

from kraken-js.

Works perfect, thanks!

from kraken-js.

Worth mentioning that what's happening here is, for /protect routes, lusca as registered by appsec kicks in, then lusca as registered by appsecprotect kicks in immediately afterwards. If lusca was destructive, that could cause a problem. In this case, since it's not, it merely adds csrf without disabling the others.

I mention this because the reverse—disabling csrf for only some routes—would not work with this pattern.

from kraken-js.

Ahh, yes it actually isn’t working for the disabling csrf. Any options for that? Disabling on certain routes is what I really want actually.

From: Jean-Charles Sisk <[email protected]mailto:[email protected]>
Reply-To: krakenjs/kraken-js <[email protected]mailto:[email protected]>
Date: Monday, July 7, 2014 at 6:00 PM
To: krakenjs/kraken-js <[email protected]mailto:[email protected]>
Cc: Christopher Severs <[email protected]mailto:[email protected]>
Subject: Re: [kraken-js] Disable CSRF for some paths (#46)

Worth mentioning that what's happening here is, for /protect routes, lusca as registered by appsec kicks in, then lusca as registered by appsecprotect kicks in immediately afterwards. If lusca was destructive, that could cause a problem. In this case, since it's not, it merely adds csrf without disabling the others.

I mention this because the reverse—disabling csrf for only some routes—would not work with this pattern.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/46#issuecomment-48260470.

from kraken-js.

Can't confirm any of this stuff at the moment (on a tablet) but, off the top of my head ...

First, express can take a regular express as a mountpoint. You could register a regex with a negative lookahead to not match on specific routes. Let's say, for example you want to disable csrf for /api routes. The regex you'd want is /^(?!\/api).+$/. The middleware registered against that route will fire for everything BUT routes that start with /api. As I recall, we don't support regex routes in meddleware since json doesn't support regex but I could be mistaken (give it a shot). Could potentially do some funky stuff since we do some mountpath resolution on your behalf but as long as you don't set express:mountpath, don't register kraken with app.use('/someMountPath', kraken()), and don't mount a sub-application, you shouldn't have anything to worry about.

Next, you could disable lusca in config, then write and config your own middleware that conditionally calls the lusca middleware based on the req path. The path <-> regex resolution in express is provided by the path-to-regexp module; you could use that to ensure that your test for /api works the same way as express and then either call next() if it succeeds (i.e., is a /api route) or lusca(options)(req, res, next); if not.

from kraken-js.

Just tried for disabling csrf for only one route, while enabling everything else. Still does not work - any work around yet? Thanks!

For reference, my config.json contains:

...
"appsec": {
  "enabled": true,
  "priority": 110,
  "module": {
    "name": "lusca",
    "arguments": [
    {
      "csrf": true,
      "xframe": "SAMEORIGIN",
      "p3p": false,
      "csp": false
    }
    ]
  }
},

"appsecallocate": {
  "route": "/allocate",
  "priority": 111,
  "module": {
    "name": "lusca",
    "arguments": [
    {
      "csrf": false,
      "xframe": "SAMEORIGIN",
      "p3p": false,
      "csp": false
    }
    ]
  }
},
...

from kraken-js.

This should be documented somewhere. The only place I could find out how to turn of CSRF / and appsec in general is this thread.

from kraken-js.

@bthibault the README mentions application security and shows lusca's default configuration (see appsec in the included middleware section). That said, perhaps this would be a good candidate for the FAQ?

from kraken-js.

I'm trying to turn on CSRF security on more than 1 route..

        "appsecprotect": {
            "route": "/allocate|/resources",
            "enabled": true,
            "priority": 111,
            "module": {
                "name": "lusca",
                "arguments": [
                    {
                        "csrf": true
                    }
                ]
            }
         }

gives me {_csrf} value on both routes.. is that the proper way of specifying?

from kraken-js.

See #193

from kraken-js.

cool so basically REGEX will do..

from kraken-js.