Fixing problems with CSRF and react client

aidanwhiteley · Oct 25, 2024 · 7b7b52f · 7b7b52f
1 parent 4e17503
commit 7b7b52f
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 8 deletions.
diff --git a/src/main/java/com/aidanwhiteley/books/controller/config/WebSecurityConfiguration.java b/src/main/java/com/aidanwhiteley/books/controller/config/WebSecurityConfiguration.java
@@ -21,6 +21,7 @@
 import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.jackson2.CoreJackson2Module;
@@ -106,7 +107,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         // https://github.com/pasupulaphani/angular-csrf-cross-domain
         // So if using CORS, there's no XSRF protection!
         if (enableCORS) {
-            http.csrf(csrf -> csrf.disable());
+            http.csrf(AbstractHttpConfigurer::disable);
             LOGGER.warn("");
             LOGGER.warn("**********************************************************************");
             LOGGER.warn("*** WARNING!                                                       ***");

diff --git a/src/main/resources/application-dev-mongo-java-server.yml b/src/main/resources/application-dev-mongo-java-server.yml
@@ -48,9 +48,9 @@ logging:
 
 books:
   client:
-    enableCORS: true      # Note - this value overriden in the IntegrationTest base test class
+    enableCORS: false      # Note - this value overriden in the IntegrationTest base test class
     allowedCorsOrigin: http://localhost:9000
-    postLogonUrl: http://localhost:9000/
+    postLogonUrl: http://localhost:5173/?logged-on=y
     xsrfHeader: X-XSRF
 
   google:
@@ -70,7 +70,7 @@ books:
   users:
     default:
       admin:
-        email: "exmaple@example.com"  # The remote email address for the user that will be automatically made an admin on first logon
+        email: "exampleFrom@example.com"  # The remote email address for the user that will be automatically made an admin on first logon
     registrationAdminEmail:
       enabled: false
       emailFrom: "[email protected]"

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -27,11 +27,11 @@ spring:
           google:
             client-id: NotInSCM1
             client-secret: NotInSCM1
-            redirect-uri: https://{baseHost}{basePort}{basePath}/login/oauth2/code/google
+            redirect-uri: http://localhost:8080/login/oauth2/code/google
           facebook:
             client-id: NotInSCM2
             client-secret: NotInSCM2
-            redirect-uri: https://{baseHost}{basePort}{basePath}/login/oauth2/code/facebook
+            redirect-uri: http://localhost:8080/login/oauth2/code/facebook
         provider:
           # Google provides all the info this app needs by default. Facebook needs configuring.
           facebook:
@@ -98,8 +98,8 @@ books:
 
   client:
     enableCORS: false       # Setting this to true in production is not supported - leaves app at risk of CSRF
-    allowedCorsOrigin: http://localhost:9000
-    postLogonUrl: http://localhost:9000/
+    allowedCorsOrigin: http://localhost:5173
+    postLogonUrl: http://localhost:5173/?logged-on=y
     xsrfHeader: X-XSRF
 
   google: