fix: relax csrf to exclude path based apps (#11430)

* fix: relax csrf to exclude path based apps * add unit test to verify path based apps are not CSRF blocked
2025-07-18 14:17:22 +00:00 · 2024-01-08 16:33:57 -06:00
parent 9f5a59d5c5
commit fb29af664b
4 changed files with 151 additions and 2 deletions
--- a/coderd/httpmw/csrf.go
+++ b/coderd/httpmw/csrf.go
@ -3,6 +3,7 @@ package httpmw
 import (
 	"net/http"
 	"regexp"
+	"strings"

 	"github.com/justinas/nosurf"
 	"golang.org/x/xerrors"
@ -12,6 +13,8 @@ import (

 // CSRF is a middleware that verifies that a CSRF token is present in the request
 // for non-GET requests.
+// If enforce is false, then CSRF enforcement is disabled. We still want
+// to include the CSRF middleware because it will set the CSRF cookie.
 func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		mw := nosurf.New(next)
@ -19,10 +22,16 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
 		mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
 		}))
+
+		mw.ExemptRegexp(regexp.MustCompile("/api/v2/users/first"))
+
 		// Exempt all requests that do not require CSRF protection.
 		// All GET requests are exempt by default.
 		mw.ExemptPath("/api/v2/csp/reports")

+		// This should not be required?
+		mw.ExemptRegexp(regexp.MustCompile("/api/v2/users/first"))
+
 		// Agent authenticated routes
 		mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/me/*"))
 		mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/*"))
@ -36,6 +45,11 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
 		mw.ExemptRegexp(regexp.MustCompile("/organizations/[^/]+/provisionerdaemons/*"))

 		mw.ExemptFunc(func(r *http.Request) bool {
+			// Only enforce CSRF on API routes.
+			if !strings.HasPrefix(r.URL.Path, "/api") {
+				return true
+			}
+
 			// CSRF only affects requests that automatically attach credentials via a cookie.
 			// If no cookie is present, then there is no risk of CSRF.
 			//nolint:govet
--- a/coderd/httpmw/csrf_test.go
+++ b/coderd/httpmw/csrf_test.go
@ -0,0 +1,71 @@
+package httpmw_test
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/justinas/nosurf"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/codersdk"
+)
+
+func TestCSRFExemptList(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		Name   string
+		URL    string
+		Exempt bool
+	}{
+		{
+			Name:   "Root",
+			URL:    "https://example.com",
+			Exempt: true,
+		},
+		{
+			Name:   "WorkspacePage",
+			URL:    "https://coder.com/workspaces",
+			Exempt: true,
+		},
+		{
+			Name:   "SubApp",
+			URL:    "https://app--dev--coder--user--apps.coder.com/",
+			Exempt: true,
+		},
+		{
+			Name:   "PathApp",
+			URL:    "https://coder.com/@USER/test.instance/apps/app",
+			Exempt: true,
+		},
+		{
+			Name:   "API",
+			URL:    "https://coder.com/api/v2",
+			Exempt: false,
+		},
+		{
+			Name:   "APIMe",
+			URL:    "https://coder.com/api/v2/me",
+			Exempt: false,
+		},
+	}
+
+	mw := httpmw.CSRF(false)
+	csrfmw := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})).(*nosurf.CSRFHandler)
+
+	for _, c := range cases {
+		c := c
+		t.Run(c.Name, func(t *testing.T) {
+			t.Parallel()
+
+			r, err := http.NewRequestWithContext(context.Background(), http.MethodPost, c.URL, nil)
+			require.NoError(t, err)
+
+			r.AddCookie(&http.Cookie{Name: codersdk.SessionTokenCookie, Value: "test"})
+			exempt := csrfmw.IsExempt(r)
+			require.Equal(t, c.Exempt, exempt)
+		})
+	}
+}