chore: csrf support

sureshg · sureshg · commit f79dfdf9b8f9 · 2024-12-08T21:12:13.000-08:00
diff --git a/backend/jvm/build.gradle.kts b/backend/jvm/build.gradle.kts
@@ -174,6 +174,7 @@ dependencies {
   implementation(libs.ktor.server.compression)
   implementation(libs.ktor.server.cors)
   implementation(libs.ktor.server.hsts)
+  implementation(libs.ktor.server.csrf)
   implementation(libs.ktor.server.rate.limit)
   implementation(libs.ktor.server.double.receive)
   implementation(libs.ktor.server.host.common)
diff --git a/backend/jvm/src/main/kotlin/dev/suresh/routes/Service.kt b/backend/jvm/src/main/kotlin/dev/suresh/routes/Service.kt
@@ -11,6 +11,7 @@ import io.github.oshai.kotlinlogging.KLogger
 import io.github.oshai.kotlinlogging.KotlinLogging
 import io.ktor.http.*
 import io.ktor.server.application.*
+import io.ktor.server.plugins.csrf.CSRF
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
 import io.ktor.server.sessions.*
@@ -36,12 +37,27 @@ fun Routing.services() {
       call.respondText("Session created")
     }
 
-    get("/") {
+    get {
       val session = call.sessions.get<CookieSession>()
       call.respondText("Current Session: $session")
     }
   }
 
+  route("/csrf") {
+    install(CSRF) {
+      allowOrigin("https://localhost:8080")
+      originMatchesHost()
+      checkHeader("X-CSRF") { csrfHeader ->
+        val originHeader = request.headers[HttpHeaders.Origin]
+        csrfHeader == originHeader?.hashCode()?.toString(32)
+      }
+
+      onFailure { respondText("Access denied!", status = HttpStatusCode.Forbidden) }
+    }
+
+    post { call.respondText("CSRF check passed!") }
+  }
+
   wasm()
 }
 
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -342,6 +342,7 @@ ktor-server-call-logging             = { module = "io.ktor:ktor-server-call-logg
 ktor-server-call-id                  = { module = "io.ktor:ktor-server-call-id"                                     , version.ref = "ktor"}
 ktor-server-cors                     = { module = "io.ktor:ktor-server-cors"                                        , version.ref = "ktor"}
 ktor-server-hsts                     = { module = "io.ktor:ktor-server-hsts"                                        , version.ref = "ktor"}
+ktor-server-csrf                     = { module = "io.ktor:ktor-server-csrf"                                        , version.ref = "ktor"}
 ktor-server-swagger                  = { module = "io.ktor:ktor-server-swagger"                                     , version.ref = "ktor"}
 ktor-server-openapi                  = { module = "io.ktor:ktor-server-openapi"                                     , version.ref = "ktor"}
 ktor-server-http-redirect            = { module = "io.ktor:ktor-server-http-redirect"                               , version.ref = "ktor"}
