Comments (7)
tsegismont
commented on August 15, 2024
This is the wrong repository, this issue should have been reported to vertx-web.
Anyway, it seems ok to me if you can't make non-GET requests until you get a new token, that's the purpose of the CSRF token.
If you make a GET request though, it should be sent as a response header, even after a POST request which was never replied.
Perhaps what you want is that the cookie is updated if does not contain the refreshed token?
Would that be fine regarding security @pmlopes ?
from vertx-auth.
chrispatmore
commented on August 15, 2024
Oops sorry, do you want me to move it?
Yea GET requests updating the token would be fine, as it would enable the user to carry on without logging in again
from vertx-auth.
tsegismont
commented on August 15, 2024
Oops sorry, do you want me to move it?
Yes please
from vertx-auth.
pmlopes
commented on August 15, 2024
CSRF is a mitigation against replay attacks, hence the issue that a request that never finishes, blocks the whole sequence of future requests. The way I see it is that:
and:
Should only happen on a successful response:
By wrapping that code only in case of success. This should address the cases:
- a never-ending response, will not rotate the token, (this example) so the next call will succeed
- a call that fails for some reason (say internal server error) will preserve the state
Tests need to be run to verify if this works as expected.
from vertx-auth.
tsegismont
commented on August 15, 2024
Thanks @pmlopes !
So @chrispatmore , if you can provide a test for Vert.x Web that shows 1/ and /2 don't work, please open an issue there.
from vertx-auth.
chrispatmore
commented on August 15, 2024
Sorry to be clear, you would like me to:
move this issue to web, then work on this issue using suggestion from @pmlopes ?
from vertx-auth.
tsegismont
commented on August 15, 2024
Sorry to be clear, you would like me to:
move this issue to web, then work on this issue using suggestion from @pmlopes ?
yes please
from vertx-auth.
Related Issues (20)
- Follow: eclipse-vertx/vert.x#4452
- NullPointerException in private Constructor of OAuth2AuthHandlerImpl HOT 1
- Docs link to legacy repository HOT 1
- WebAuthn : MetadataServiceImpl parseX5c method returns emptyList when x5c is null HOT 1
- WebAuthn : Android Safetynet Integrity verdict (ctsProfileMatch, basicIntegrity) HOT 2
- OAuth2Auth: access_token fails validation if configuration has multiple audiences
- UserConverter NPE when User.authorizations() returns null HOT 4
- OAuth2AuthProvider CLIENT flow with custom data HOT 3
- OAuth2 Auth provider incorrectly validating Access Tokens HOT 12
- UserConverter.decode NPE when deserializing default constructed UserImpl HOT 8
- OAuth2AuthProviderImpl loses Access Token after introspect call HOT 2
- Add support for revoking access tokens when using KeyCloak Authenticator
- Wrong initialization of jwtOptions field in OAuth2Options HOT 2
- WebAuthn: implement hybrid transport
- Usage of PRNG can lead to blocking of thread HOT 3
- [JWT Auth provider] JWTAuthOptions creation fails when using PasswordProtection in KeyStoreOptions HOT 3
- Webauthn : iOS 17.x io.vertx.ext.auth.webauthn.impl.attestation.AttestationException: AAGUID is not 00000000-0000-0000-0000-000000000000! HOT 3
- WebAuthN: Supported Transports are not passed during registration?
- OAuth2Options reuse the same JwtOptions instance HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vertx-auth.