CSRF

Http4s provides Middleware, named CSRF, to prevent Cross-site request forgery attacks. This middleware is modeled after the double submit cookie pattern.

Examples in this document have the following dependencies.

libraryDependencies ++= Seq(
  "org.http4s" %% "http4s-dsl" % http4sVersion,
  "org.http4s" %% "http4s-server" % http4sVersion
)

And we need some imports.

  import cats.effect._
  import org.http4s._
  import org.http4s.dsl.io._
  import org.http4s.implicits._
  import org.http4s.headers.Referer
  import org.http4s.server.middleware._

Let’s start by making a simple service.

val service = HttpRoutes.of[IO] {
  case _ =>
    Ok()
} 
// service: org.http4s.HttpRoutes[cats.effect.IO] = Kleisli(org.http4s.HttpRoutes$$$Lambda$36610/412833184@5e75e2b)

val request = Request[IO](Method.GET, uri"/")
// request: org.http4s.Request[cats.effect.IO] = Request(method=GET, uri=/, headers=Headers())

service.orNotFound(request).unsafeRunSync
// res0: org.http4s.Response[cats.effect.IO] = Response(status=200, headers=Headers(Content-Length: 0))

That didn’t do all that much. Lets build out our CSRF Middleware by creating a CSRFBuilder

val cookieName = "csrf-token"
val key  = CSRF.generateSigningKey[IO].unsafeRunSync
val defaultOriginCheck: Request[IO] => Boolean =
  CSRF.defaultOriginCheck[IO](_, "localhost", Uri.Scheme.http, None)
val csrfBuilder = CSRF[IO,IO](key, defaultOriginCheck)

More info on what is possible in the CSRFBuilder Docs, but we will create a fairly simple CSRF Middleware in our example.

val csrf = csrfBuilder.withCookieName(cookieName).withCookieDomain(Some("localhost")).withCookiePath(Some("/")).build
// csrf: org.http4s.server.middleware.CSRF[cats.effect.IO,cats.effect.IO] = org.http4s.server.middleware.CSRF@2b8c1f0f

Now we need to wrap this around our service! We’re gonna start with a safe call

val dummyRequest: Request[IO] =
    Request[IO](method = Method.GET).putHeaders(Header("Origin", "http://localhost"))
// dummyRequest: org.http4s.Request[cats.effect.IO] = Request(method=GET, uri=/, headers=Headers(Origin: http://localhost))

val resp = csrf.validate()(service.orNotFound)(dummyRequest).unsafeRunSync()
// resp: org.http4s.Response[cats.effect.IO] = Response(status=200, headers=Headers(Content-Length: 0, Set-Cookie: <REDACTED>))

Notice how the response has the CSRF cookies added. How easy was that? And, as described in Middleware, services and middleware can be composed such that only some of your endpoints are CSRF enabled. By default, safe methods will update the CSRF token, while unsafe methods will validate them.

Without getting too deep into it, safe methods are OPTIONS, GET, and HEAD. While unsafe methods are POST, PUT, PATCH, DELETE, and TRACE. To put it simply, state changing methods are unsafe. For more information, check out this cheat sheet on CSRF Prevention.

Unsafe requests (like POST) require us to send the CSRF token in the X-Csrf-Token header (this is the default name, but it can be changed), so we are going to get the value and send it up in our POST. I’ve also added the response cookie as a RequestCookie, normally the browser would send this up with our request, but I needed to do it manually for the purpose of this demo.

val cookie = resp.cookies.head
// cookie: org.http4s.ResponseCookie = csrf-token=B6BB33DE043879B3D7D307B45ABB15723C64362959B9FF1437E43E58FD94CFD6-1569031252262-BC6C97941808F0A80F660AF65A2778D9A989327D; Domain=localhost; Path=/; HttpOnly

val dummyPostRequest: Request[IO] =
    Request[IO](method = Method.POST).putHeaders(
      Header("Origin", "http://localhost"),
      Header("X-Csrf-Token", cookie.content)
    ).addCookie(RequestCookie(cookie.name,cookie.content))
// dummyPostRequest: org.http4s.Request[cats.effect.IO] = Request(method=POST, uri=/, headers=Headers(Origin: http://localhost, X-Csrf-Token: B6BB33DE043879B3D7D307B45ABB15723C64362959B9FF1437E43E58FD94CFD6-1569031252262-BC6C97941808F0A80F660AF65A2778D9A989327D, Cookie: <REDACTED>))

val resp = csrf.validate()(service.orNotFound)(dummyPostRequest).unsafeRunSync()
// resp: org.http4s.Response[cats.effect.IO] = Response(status=200, headers=Headers(Content-Length: 0, Set-Cookie: <REDACTED>))