Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: YL-36-BackSecuring-CSRFToken #19

Merged
merged 5 commits into from
Oct 4, 2024
Merged

feat: YL-36-BackSecuring-CSRFToken #19

merged 5 commits into from
Oct 4, 2024

Conversation

C-Alexis4414
Copy link
Owner

@C-Alexis4414 C-Alexis4414 commented Sep 30, 2024
edited by sync-by-unito bot
Loading

WHAT

Middleware CSRF, Rate-Limit, and Cookie-Parser were added with creation of the security module and controller.

WHY

For enforcing security against cross-site request forgery attacks, brute force attacks and abuse.

HOW

Nature of CSRF Token
A CSRF token is a temporary token generated for each user or request session, and it is stored in a cookie or sent in the request header. The server simply checks whether the token received corresponds to the one generated for the current user session.

  1. Installation of dependencies
# express-rate-limit for limiting the number of requests from a user or IP address during a given period, useful to prevent brute force attacks or abuse
npm i express-rate-limit
# Middleware cookie-parser for managing cookies used to store CSRF tokens
npm i cookie-parser
# csurf middleware, provided by the Nest.js community, for CSRF token integration
npm i csurf

  1. CSRF Configuration in the application
    Recommended middleware order :
    a) RateLimitMiddleware -> To limit abusive requests first .
    b) cookie-parser -> To analyze cookies and make them available in the req object.
    c) csurf -> To protect against CSRF attacks, using already parsed cookies.

  2. csrf error handling
    Custom exception filter in case of 403 error (invalid CSRF token) created in csrf-exception.filter.ts file.
    This filter has added globally in main.ts file.

  3. Creating a route to get the CSRF token
    Added a route to return the CSRF token that can be used by the frontend to protect its requests.

  4. Creation of the security module
    Added a security.module.ts file.
    Create the rate limiter instance (rateLimiter) before the method configure to ensure it is properly initialized at application start.
    Then, in the configure method, we apply the rateLimiter instance as middleware first, followed by cookie-parser and csurf.
    Importation of the security module in the app.module.ts file.

  5. For the tests
    To test with Swagger UI, change OpenAPI* file in main.ts.

(*) Ability to export the OpenAPI file via http://localhost:3000/api-json or http://localhost:3000/api-yaml, to import the query collection into Insomnia.

Link to Jira ticket

BackSecuring-CSRFTokens

Checklist

  • Tested
  • Documented or commented
  • Search for duplicates code or PRs or issues
  • Blocked
  • WIP

Blocked

N/A

WIP

N/A

Resources

Medium article :
Best Security implementation Practices In NestJS. A Comprehensive Guide
Dev.to article :
Best Security implementation Practices In NestJS. A Comprehensive Guide

┆Issue is synchronized with this Jira Task by Unito

@C-Alexis4414
YL-36 WIP - Dependances installed
07c77be
@C-Alexis4414
YL-36 WIP - main.ts updated
e5cb42b
@C-Alexis4414
feat: YL-36 CSRF, Rate-Limit, Cookie-Parser
ce4e132 
- Middleware CSRF, Rate-Limit, and Cookie-Parser were added with
creation of the security module and controller.
- For enforcing security against cross-site request forgery attacks,
brute force attacks and abuse.
Reviewed by: @C-Alexis4414
@C-Alexis4414
feat: YL-36 Security component configured
3e4a0f2
@C-Alexis4414
feat: YL-36 ApiHeader added for path testing
7884dfb 
- Using swagger ui and insomnia, tested paths with decorator @ApiHeader
to pass the CSRF token in the header of these requests. And Creating a
custom exception filter in case of 403 error (invalid CSRF token)
- Ensure the proper functioning of the protection implemented

Reviewed by: @C-Alexis4414
Github issue: #18
@github-actions github-actions bot added size/XL ci/cd Continuous integration and delivery tables crud tests gitWorkflow and removed size/XL labels Sep 30, 2024
@C-Alexis4414 C-Alexis4414 changed the title YL-36-BackSecuring-CSRFToken feat: YL-36-BackSecuring-CSRFToken Sep 30, 2024
@C-Alexis4414 C-Alexis4414 added enhancement New feature or request Security Securing against attacks and abuses and removed ci/cd Continuous integration and delivery tables tests gitWorkflow labels Sep 30, 2024
@C-Alexis4414 C-Alexis4414 linked an issue Sep 30, 2024 that may be closed by this pull request
feat: BackSecuring-CSRFTokens #18
Closed
@C-Alexis4414
Copy link
Owner Author

Implementation of user sessions to complement good security practices.
YL-48 User-Session

@C-Alexis4414 C-Alexis4414 mentioned this pull request Sep 30, 2024
Open
accardigianni
accardigianni reviewed Oct 4, 2024
View reviewed changes
Copy link
Collaborator

@accardigianni accardigianni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve

accardigianni
accardigianni approved these changes Oct 4, 2024
View reviewed changes
Copy link
Collaborator

@accardigianni accardigianni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approve

@accardigianni accardigianni merged commit b40f8c9 into main Oct 4, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@accardigianni accardigianni accardigianni approved these changes

Assignees
No one assigned
Labels
crud enhancement New feature or request Security Securing against attacks and abuses
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: BackSecuring-CSRFTokens
2 participants
@C-Alexis4414 @accardigianni