From 208b2e714630021b7bf48e96d9641f6a03123460 Mon Sep 17 00:00:00 2001
From: Spac3Drunk <louis.manouvriez@gmail.com>
Date: Tue, 14 Feb 2023 23:04:04 +0100
Subject: [PATCH] CSRF protection added

---
 .../bookstore/config/SecurityConfiguration.java     | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/pw/pw-csrf/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java b/pw/pw-csrf/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
index b84ee64d..f3fcc92e 100644
--- a/pw/pw-csrf/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
+++ b/pw/pw-csrf/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
@@ -23,6 +23,7 @@
 import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.filter.CorsFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableWebSecurity
@@ -81,8 +82,8 @@ protected void configure(HttpSecurity http) throws Exception {
                 .authenticationEntryPoint(http401UnauthorizedEntryPoint())
                 .and()
                 .csrf()
-                .disable() // <== for tests!! //TODO remove it
-                //.csrfTokenRepository(....)
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .and()
                 .headers()
                 .frameOptions()
                 .disable()
@@ -97,15 +98,13 @@ protected void configure(HttpSecurity http) throws Exception {
                 .antMatchers("/api/account/reset_password/init").permitAll()
                 .antMatchers("/api/account/reset_password/finish").permitAll()
                 .antMatchers("/api/profile-info").permitAll()
-                .antMatchers("/api/**").permitAll() // authenticated() <== for tests!! //TODO remove it
+                //.antMatchers("/api/**").permitAll() // authenticated() <== for tests!! //TODO remove it
                 .antMatchers("/management/health").permitAll()
                 .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
                 .antMatchers("/v2/api-docs/**").hasAuthority(AuthoritiesConstants.ADMIN)
-        // .and()
-        // .apply(securityConfigurerAdapter())
+        .and()
+        .apply(securityConfigurerAdapter())
         ;
-        // TODO uncomment this line to activate JWT filter
-
     }
 
     private JWTConfigurer securityConfigurerAdapter() {