fix: reworked csrf

2025-12-04 10:12:05 +03:00 · 2025-12-04 10:12:05 +03:00 · bd868bb724
commit bd868bb724
parent 475266eef6
16 changed files with 39 additions and 150 deletions
--- a/api/_build/openapi.yaml
+++ b/api/_build/openapi.yaml
@ -150,8 +150,6 @@ paths:
          description: User not found
        '500':
          description: Unknown server error
-      security:
-        - JwtAuthCookies: []
    patch:
      operationId: updateUser
      summary: Partially update a user account
@ -160,7 +158,6 @@ paths:
        Password updates must be done via the dedicated auth-service (`/auth/`).
        Fields not provided in the request body remain unchanged.
      parameters:
-        - $ref: '#/components/parameters/csrfTokenHeader'
        - name: user_id
          in: path
          description: User ID (primary key)
@ -229,7 +226,7 @@ paths:
        '500':
          description: Unknown server error
      security:
-        - JwtAuthCookies: []
+        XsrfAuthHeader: []
  '/users/{user_id}/titles':
    get:
      operationId: getUserTitles
@ -405,14 +402,11 @@ paths:
          description: User or title not found
        '500':
          description: Unknown server error
-      security:
-        - JwtAuthCookies: []
    patch:
      operationId: updateUserTitle
      summary: Update a usertitle
      description: User updating title list of watched
      parameters:
-        - $ref: '#/components/parameters/csrfTokenHeader'
        - name: user_id
          in: path
          required: true
@ -455,13 +449,12 @@ paths:
        '500':
          description: Internal server error
      security:
-        - JwtAuthCookies: []
+        - XsrfAuthHeader: []
    delete:
      operationId: deleteUserTitle
      summary: Delete a usertitle
      description: User deleting title from list of watched
      parameters:
-        - $ref: '#/components/parameters/csrfTokenHeader'
        - name: user_id
          in: path
          required: true
@ -486,42 +479,9 @@ paths:
        '500':
          description: Internal server error
      security:
-        - JwtAuthCookies: []
+        - XsrfAuthHeader: []
 components:
  parameters:
-    accessToken:
-      name: access_token
-      in: cookie
-      required: true
-      schema:
-        type: string
-        format: jwt
-      example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.x.y
-      description: |
-        JWT access token.
-    csrfToken:
-      name: xsrf_token
-      in: cookie
-      required: true
-      schema:
-        type: string
-        pattern: '^[a-zA-Z0-9_-]{32,64}$'
-      example: abc123def456ghi789jkl012mno345pqr
-      description: |
-        Anti-CSRF token (Double Submit Cookie pattern).
-        Stored in non-HttpOnly cookie, readable by JavaScript.
-        Must be echoed in `X-XSRF-TOKEN` header for state-changing requests (POST/PUT/PATCH/DELETE).
-    csrfTokenHeader:
-      name: X-XSRF-TOKEN
-      in: header
-      required: true
-      schema:
-        type: string
-        pattern: '^[a-zA-Z0-9_-]{32,64}$'
-      description: |
-        Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
-        Required for all state-changing requests (POST/PUT/PATCH/DELETE).
-      example: abc123def456ghi789jkl012mno345pqr
    cursor:
      in: query
      name: cursor
@ -780,3 +740,11 @@ components:
    Review:
      type: object
      additionalProperties: true
+  securitySchemes:
+    XsrfAuthHeader:
+      type: apiKey
+      in: header
+      name: X-XSRF-TOKEN
+      description: |
+        Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
+        Required for all state-changing requests (POST/PUT/PATCH/DELETE).
--- a/api/openapi.yaml
+++ b/api/openapi.yaml
@ -23,3 +23,5 @@ components:
    $ref: "./parameters/_index.yaml"
  schemas:
    $ref: "./schemas/_index.yaml"
+  securitySchemes:
+    $ref: "./securitySchemes/_index.yaml"
--- a/api/parameters/_index.yaml
+++ b/api/parameters/_index.yaml
@ -1,10 +1,4 @@
 cursor:
  $ref: "./cursor.yaml"
 title_sort:
-  $ref: "./title_sort.yaml"
-accessToken:
-  $ref: "./access_token.yaml"
-csrfToken:
-  $ref: "./xsrf_token_cookie.yaml"
-csrfTokenHeader:
-  $ref: "./xsrf_token_header.yaml"
+  $ref: "./title_sort.yaml"
--- a/api/parameters/access_token.yaml
+++ b/api/parameters/access_token.yaml
@ -1,9 +0,0 @@
-name: access_token
-in: cookie
-required: true
-schema:
-  type: string
-  format: jwt
-example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.x.y"
-description: |
-  JWT access token.
--- a/api/parameters/xsrf_token_cookie.yaml
+++ b/api/parameters/xsrf_token_cookie.yaml
@ -1,11 +0,0 @@
-name: xsrf_token
-in: cookie
-required: true
-schema:
-  type: string
-  pattern: "^[a-zA-Z0-9_-]{32,64}$"
-example: "abc123def456ghi789jkl012mno345pqr"
-description: |
-  Anti-CSRF token (Double Submit Cookie pattern).
-  Stored in non-HttpOnly cookie, readable by JavaScript.
-  Must be echoed in `X-XSRF-TOKEN` header for state-changing requests (POST/PUT/PATCH/DELETE).
--- a/api/parameters/xsrf_token_header.yaml
+++ b/api/parameters/xsrf_token_header.yaml
@ -1,10 +0,0 @@
-name: X-XSRF-TOKEN
-in: header
-required: true
-schema:
-  type: string
-  pattern: "^[a-zA-Z0-9_-]{32,64}$"
-description: |
-  Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
-  Required for all state-changing requests (POST/PUT/PATCH/DELETE).
-example: "abc123def456ghi789jkl012mno345pqr"
--- a/api/paths/users-id-titles-id.yaml
+++ b/api/paths/users-id-titles-id.yaml
@ -1,8 +1,6 @@
 get:
  summary: Get user title
  operationId: getUserTitle
-  security:
-  - JwtAuthCookies: []
  parameters:
  - in: path
    name: user_id
@ -37,9 +35,8 @@ patch:
  description: User updating title list of watched
  operationId: updateUserTitle
  security:
-  - JwtAuthCookies: []
+    - XsrfAuthHeader: []
  parameters:
-  - $ref: '../parameters/xsrf_token_header.yaml'
  - in: path
    name: user_id
    required: true
@ -87,9 +84,8 @@ delete:
  description: User deleting title from list of watched
  operationId: deleteUserTitle
  security:
-  - JwtAuthCookies: []
+    - XsrfAuthHeader: []
  parameters:
-  - $ref: '../parameters/xsrf_token_header.yaml'
  - in: path
    name: user_id
    required: true
--- a/api/paths/users-id.yaml
+++ b/api/paths/users-id.yaml
@ -1,8 +1,6 @@
 get:
  summary: Get user info
  operationId: getUsersId
-  security:
-  - JwtAuthCookies: []
  parameters:
  - in: path
    name: user_id
@ -30,15 +28,15 @@ get:

 patch:
  summary: Partially update a user account
-  security:
-  - JwtAuthCookies: []
  description: |
    Update selected user profile fields (excluding password). 
    Password updates must be done via the dedicated auth-service (`/auth/`).
    Fields not provided in the request body remain unchanged.
  operationId: updateUser
+  security:
+    XsrfAuthHeader: []
  parameters:
-    - $ref: '../parameters/xsrf_token_header.yaml'
+    # - $ref: '../parameters/xsrf_token_header.yaml'
    - name: user_id
      in: path
      required: true
--- a/api/securitySchemes/_index.yaml
+++ b/api/securitySchemes/_index.yaml
@ -0,0 +1,11 @@
+# accessToken:
+#   $ref: "./access_token.yaml"
+# csrfToken:
+#   $ref: "./xsrf_token_cookie.yaml"
+XsrfAuthHeader:
+  type: apiKey
+  in: header
+  name: X-XSRF-TOKEN
+  description: |
+    Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
+    Required for all state-changing requests (POST/PUT/PATCH/DELETE).