CSRF protection when making requests from Javascript

[MaxGabriel]

Yesod supports CSRF protection when generating forms, but as far as I'm aware, doesn't have native support for validating CSRF tokens when making requests from Javascript requests.

To improve this situation, I'd like to:

1. Add the CSRF token to the scaffolding's default layout in a way that is accessible by Javascript, potentially in a <meta> tag in the <head> of the HTML (This is what Ruby on Rails does):

   mCsrfToken <- fmap reqToken getRequest -- in defaultLayout function

   $maybe token <- mCsrfToken
     <meta name="csrf-token" content=#{token}>
   

2. Add something to the scaffolding to add the CSRF token to a request made by Javascript (potentially using jQuery's ajaxPrefilter to add the token as a header). This would go along with the PR to add more JSON examples to the scaffolding (Draft of using Yesod as an API server to a Javascript frontend yesod-scaffold#76)

3. Add a function to Yesod to check the CSRF token in a standard way for Javascript requests. I'm not sure if there's a better solution here than requiring users to manually call a checkCsrfToken method. Potentially it could be combined with functions like requireJsonBody?

I think these changes would improve security for Yesod users, who might not be aware of CSRF attacks, and improve Yesod as an API server. Thoughts?

---

Somewhat related: SO answer in which I implement some bits of this functionality.

[gregwebs]

I like the angular way of doing card protection better. https://docs.angularjs.org/api/ng/service/$http

[MaxGabriel]

It looks like the Angular approach is to store the CSRF token in a cookie (XSRF-TOKEN) to send downstream, and include it as a header (X-XSRF-TOKEN) going upstream. This seems like it would simplify accessing the CSRF token from non-browser environments, because you wouldn't have to query the DOM for token (perhaps this would be good for tests?).

If I understand correctly, there might be a security advantage to this approach because JS loaded from other domains wouldn't be able to read your domain's cookies (though this advantage is negated if you store CSRF tokens elsewhere in the page, like in server-generated forms).

A slight disadvantage is that it would increase request size for requests that don't need a CSRF token, like requests for images, but that's probably negligible.

I'm cool with that approach.

[MaxGabriel]

Worked on this a little more this weekend; seems fairly simple to implement. Code snippets from what I'm working on attached. Needs some work to allow configuration of the cookie and header.

setCsrfCookie :: Handler ()
setCsrfCookie = do
    mCsrfToken <- reqToken <$> getRequest
    case mCsrfToken of
        Nothing -> return () 
        Just token -> setCookie $ def { setCookieName = "XSRF-TOKEN", setCookieValue = TE.encodeUtf8 token }

// This would come in the scaffolding
$.ajaxPrefilter(function( options, originalOptions, jqXHR ) {
  var xsrfToken = Cookies.get('XSRF-TOKEN'); // Potentially get cookie key from Haskell code and embed it here?

  if (xsrfToken) {
    console.log("Setting CSRF header");
    // Need to only set this for the current domain.
    jqXHR.setRequestHeader("X-XSRF-TOKEN",xsrfToken);
  }

});

checkCsrfHeader :: Handler ()
checkCsrfHeader = do
  mCsrfToken  <- reqToken <$> getRequest
  mXsrfHeader <- lookupHeader "X-XSRF-TOKEN"

  traceM $ "CSRF header is " ++ show mCsrfToken
  traceM $ "XSRF header is " ++ show mXsrfHeader

  if (TE.encodeUtf8 <$> mCsrfToken) == mXsrfHeader
    then return ()
    else error "Invalid CSRF token in header"

[gregwebs]

looks good :) you can use mapM and when to avoid return ()

[MaxGabriel]

Implemented by #1017

[mrkkrp]

When should setCsrfCookie be called? On login?