Skip to content

feat: anti-CSRF measures when fetching flows #1458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 30, 2021
Merged

feat: anti-CSRF measures when fetching flows #1458

merged 7 commits into from
Jun 30, 2021

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Jun 23, 2021
edited
Loading

BREAKING CHANGE: This patch introduces CSRF countermeasures for fetching all self-service flows. This ensures that users can not accidentally leak sensitive information when copy/pasting e.g. login URLs (see #1282). If a self-service flow for browsers is requested, the CSRF cookie must be included in the call, regardless if it is a client-side browser app or a server-side browser app calling. This does not apply for API-based flows.

As part of this change, the following endpoints have been removed:

  • GET <ory-kratos-admin>/self-service/login/flows;
  • GET <ory-kratos-admin>/self-service/registration/flows;
  • GET <ory-kratos-admin>/self-service/verification/flows;
  • GET <ory-kratos-admin>/self-service/recovery/flows;
  • GET <ory-kratos-admin>/self-service/settings/flows.

Please ensure that your server-side applications use the public port (e.g. GET <ory-kratos-public>/self-service/login/flows) for fetching self-service flows going forward.

If you use the SDKs, upgrading is easy by adding the cookie header when fetching the flows. This is only required when using browser flows on the server side.

The following example illustrates a ExpressJS (NodeJS) server-side application fetching the self-service flows.

app.get('some-route', (req: Request, res: Response) => {
-   kratos.getSelfServiceLoginFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceLoginFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRecoveryFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRecoveryFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRegistrationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRegistrationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceVerificationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceVerificationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceSettingsFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceSettingsFlow(flow, undefined, req.header('cookie')).then((flow) => /* ... */ )
})

For concrete details, check out the changes in the NodeJS app.

Closes #1282

@aeneasr aeneasr added the feat New feature or request. label Jun 23, 2021
@aeneasr aeneasr added this to the v0.7.0-alpha.1 milestone Jun 23, 2021
@aeneasr aeneasr self-assigned this Jun 23, 2021
aeneasr added a commit to ory/kratos-selfservice-ui-node that referenced this pull request Jun 29, 2021
@aeneasr
feat: forward cookies for anti-csrf measures (#133)
e7fa292 
See ory/kratos#1458
@aeneasr aeneasr marked this pull request as ready for review June 29, 2021 09:06
aeneasr added 3 commits June 29, 2021 12:04
@aeneasr
u
9831157
@aeneasr
Merge remote-tracking branch 'origin/master' into fix-1282
3d57be8 
# Conflicts:
#	CHANGELOG.md
#	docs/docs/CHANGELOG.md
@aeneasr
u
3e0aa0e
@aeneasr aeneasr mentioned this pull request Jun 29, 2021
Closed
@codecov
Copy link

codecov bot commented Jun 29, 2021
edited
Loading

Codecov Report

Merging #1458 (7001067) into master (9f20d01) will increase coverage by 0.06%.
The diff coverage is 94.52%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1458      +/-   ##
==========================================
+ Coverage   71.36%   71.43%   +0.06%     
==========================================
  Files         250      250              
  Lines       10652    10685      +33     
==========================================
+ Hits         7602     7633      +31     
- Misses       2430     2431       +1     
- Partials      620      621       +1
Impacted Files Coverage Δ
selfservice/flow/logout/handler.go 80.35% <ø> (ø)
selfservice/strategy/link/strategy_recovery.go 63.88% <0.00%> (ø)
selfservice/strategy/link/strategy_verification.go 59.84% <0.00%> (ø)
selfservice/flow/settings/handler.go 57.27% <80.00%> (-2.56%) ⬇️
examples/go/pkg/common.go 73.52% <100.00%> (+4.56%) ⬆️
internal/testhelpers/selfservice_settings.go 88.43% <100.00%> (ø)
selfservice/flow/login/handler.go 63.39% <100.00%> (+1.00%) ⬆️
selfservice/flow/recovery/handler.go 53.60% <100.00%> (+0.97%) ⬆️
selfservice/flow/registration/handler.go 67.74% <100.00%> (+1.07%) ⬆️
selfservice/flow/request.go 87.87% <100.00%> (ø)
... and 7 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9f20d01...7001067. Read the comment docs.

@aeneasr aeneasr merged commit 5171557 into master Jun 30, 2021
@aeneasr aeneasr deleted the fix-1282 branch June 30, 2021 08:11
@pingiun pingiun mentioned this pull request Jul 5, 2021
Merged
6 tasks
t-tomalak pushed a commit to Wikia/kratos that referenced this pull request Jul 16, 2021
Merge tag 'v0.7.0-alpha.1' into fandom_master_v0.7.0
3c9d422 
About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!

Ory Kratos v0.7 brings massive developer experience improvements:

- A reworked, tested, and standardized SDK based on OpenAPI 3.0.3 ([ory#1477](ory#1477), [ory#1424](ory#1424));
- Native support of Single-Page-Apps (ReactJS, AngularJS, ...) for all self-service flows ([ory#1367](ory#1367));
- Sign in with Yandex, VK, Auth0, Slack;
- An all-new, secure logout flow ([ory#1433](ory#1433));
- Important security updates to the self-service GET APIs ([ory#1458](ory#1458), [ory#1282](ory#1282));
- Built-in support for TLS ([ory#1466](ory#1466));
- Improved documentation and Go Module structure;
- Resolving a case-sensitivity bug in self-service recovery and verification flows;
- Improved performance for listing identities;
- Support for Instant tracing ([ory#1429](ory#1429));
- Improved control for SMTPS, supporting SSL and STARTTLS ([ory#1430](ory#1430));
- Ability to run Ory Kratos in networks without outbound requests ([ory#1445](ory#1445));
- Improved control over HTTP Cookie behavior ([ory#1531](ory#1531));
- Several smaller user experience improvements and bug fixes;
- Improved e2e test pipeline.

In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!

Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!

For more details on breaking changes and patch notes, see below.
jess-sheneberger pushed a commit to jess-sheneberger/kratos that referenced this pull request Jul 21, 2021
Merge tag 'v0.7.0-alpha.1' into login-method-api
764b70a 
About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!

Ory Kratos v0.7 brings massive developer experience improvements:

- A reworked, tested, and standardized SDK based on OpenAPI 3.0.3 ([ory#1477](ory#1477), [ory#1424](ory#1424));
- Native support of Single-Page-Apps (ReactJS, AngularJS, ...) for all self-service flows ([ory#1367](ory#1367));
- Sign in with Yandex, VK, Auth0, Slack;
- An all-new, secure logout flow ([ory#1433](ory#1433));
- Important security updates to the self-service GET APIs ([ory#1458](ory#1458), [ory#1282](ory#1282));
- Built-in support for TLS ([ory#1466](ory#1466));
- Improved documentation and Go Module structure;
- Resolving a case-sensitivity bug in self-service recovery and verification flows;
- Improved performance for listing identities;
- Support for Instant tracing ([ory#1429](ory#1429));
- Improved control for SMTPS, supporting SSL and STARTTLS ([ory#1430](ory#1430));
- Ability to run Ory Kratos in networks without outbound requests ([ory#1445](ory#1445));
- Improved control over HTTP Cookie behavior ([ory#1531](ory#1531));
- Several smaller user experience improvements and bug fixes;
- Improved e2e test pipeline.

In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!

Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!

For more details on breaking changes and patch notes, see below.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@aeneasr aeneasr

Labels
feat New feature or request.
Projects
None yet
Milestone
v0.7.0-alpha.1
Development

Successfully merging this pull request may close these issues.

Prevent accidental leak of PII when Copy & Pasting of Flow URLs which include Flow IDs
1 participant
@aeneasr