#172 Fix 'Page Expired' errors keep occurring after 30 minutes due to…

… default timeout by CBCSRF module
coldbox-modules · Jan 3, 2025 · 2fa5a70 · 2fa5a70
1 parent be3105e
commit 2fa5a70
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 6 deletions.
diff --git a/ModuleConfig.cfc b/ModuleConfig.cfc
@@ -38,7 +38,11 @@ component {
             /**
              * Trims string properties if set to true
              */
-            "trimStringValues" : false
+            "trimStringValues" : false,
+            /**
+             * The wirebox mapping to use for the CSRF storage.
+             */
+            "csrfStorage": "SessionStorage@cbstorages"
         };
 
         routes = [

diff --git a/models/CBWIREController.cfc b/models/CBWIREController.cfc
@@ -6,8 +6,8 @@ component singleton {
     // Injected RequestService so that we can access the current ColdBox RequestContext.
     property name="requestService" inject="coldbox:requestService";
 
-    // Inject CBCSRF for CSRF token generation and verification
-    property name="cbcsrf" inject="provider:@cbcsrf";
+    // Inject CSRF token generation and verification
+    property name="csrf" inject="CSRF@cbwire";
 
     // Inject module settings
     property name="moduleSettings" inject="coldbox:modulesettings:cbwire";
@@ -66,7 +66,8 @@ component singleton {
         // Set the CSRF token for the request
         local.csrfToken = local.payload._token;
         // Validate the CSRF token
-        local.csrfTokenVerified = variables.wirebox.getInstance( dsl="@cbcsrf" ).verify( local.csrfToken );
+        local.csrfTokenVerified = verifyCSRFToken( local.csrfToken );
+
         // Check the CSRF token, throw 403 if invalid
         if( !local.csrfTokenVerified ){
             throw( type="CBWIREException", message="Page expired." );
@@ -424,7 +425,17 @@ component singleton {
      */
     function generateCSRFToken() {
         // Generate the CSRF token using the cbcsrf library
-        return variables.cbcsrf.generate();
+        return variables.csrf.generate();
+    }
+    /** 
+     * Verifies a CSRF token.
+     * 
+     * @token string | The CSRF token to verify.
+     * 
+     * @return boolean
+     */
+    function verifyCSRFToken( token ) {
+        return variables.csrf.verify( token );
     }
 
     /**

diff --git a/models/CSRF.cfc b/models/CSRF.cfc
@@ -0,0 +1,39 @@
+component singleton {
+
+    property name="wirebox" inject="wirebox";
+    property name="settings" inject="coldbox:moduleSettings:cbwire";
+
+    /** 
+     * Generate a CSRF token.
+     * 
+     * @return string
+     */
+    function generate() {
+        var csrf = hash( createUUID(), "SHA-256" );
+        getCSRFStorage().set( "CBWIRE_CSRF", csrf );
+        return csrf;
+    }
+
+    /** 
+     * Verify a CSRF token.
+     * 
+     * @token string
+     * 
+     * @return boolean
+     */
+    function verify( token ) {
+        if ( !getCSRFStorage().exists( "CBWIRE_CSRF" ) ) {
+            throw( type="CSRF Expired", message="Page expired" );
+        }
+        return true;
+    }
+
+    /** 
+     * Get the CSRF storage object.
+     * 
+     * @return any
+     */
+    function getCSRFStorage() {
+        return wirebox.getInstance( settings.csrfStorage );
+    }
+}
diff --git a/test-harness/tests/specs/CBWIRESpec.cfc b/test-harness/tests/specs/CBWIRESpec.cfc
@@ -451,8 +451,11 @@ component extends="coldbox.system.testing.BaseTestCase" {
                 // and prepareMock() is a custom method to mock any dependencies, if necessary.
                 setup();
                 cbwireController = getInstance("CBWIREController@cbwire");
-                event = getRequestContext();
                 prepareMock( cbwireController );
+                event = getRequestContext();
+                csrf = prepareMock( getInstance( "CSRF@cbwire" ) );
+                csrf.$( "verify", true );
+                cbwireController.$property( "csrf", "variables", csrf );
             });
 
             it( "should trim string values if global setting enabled on coldbox.cfc", () => {
@@ -572,6 +575,8 @@ component extends="coldbox.system.testing.BaseTestCase" {
             } );
 
             it( "should throw a 419 Page Expired error if the CSRF token doesn't match", function() {
+                csrf.$( "verify", false );
+
                 var payload = incomingRequest(
                     memo = {
                         "name": "TestComponent",
@@ -586,6 +591,8 @@ component extends="coldbox.system.testing.BaseTestCase" {
                 expect( function() {
                     cbwireController.handleRequest( payload, event );
                 } ).toThrow( type="CBWIREException", message="Page expired." );
+
+                csrf.$( "verify", true );
             } );
 
             it( "should provide a handleRequest() method that returns subsequent payloads", function() {