Magnolia as headless cms - CSRF

[Patrik Pahulák]

Hello, I am using Magnolia as a headless cms. I have a separate frontend app, that makes requests to a Magnolia rest api. Now what I'd like to know is how one should implement CSRF protection in this scenario.I've read the docs about filters but I'm still not sure how to get this working.
Storing and sending the tokens from my frontend app is not an issue so what I essentially need to know is how to generate a token once a users logs in via my rest endpoint. Afterwards how would I check whether the tokens included in requests to my api are valid or not. I was thinking of generating them myself, then setting up a custom filter, that would check whether these tokens are valid (so basically what CsrfSessionTokenFilter does)

NOTE: I have not exactly played around with the config of the aforementioned csrf filters, so this might be trivial to implement out of the box. Instead I tried playing around with a RestCsrfPreventionFilter (ended up breaking the whole app, cookies were not exactly workking when using it)

[Roman Kovařík]

Hey Patrik,

Rest requests are by default bypassed by the CSRF filter (they are expected to be stateless). 

You might try to remove the bypass. AFAIK, the flow should be as follows: GET requests should generate the token into "csrf" cookie which is supposed to be sent in following POST requests as "csrf" parameter.

Looks like RestCsrfPreventionFilter has a similar flow. Have you tried using it via a info.magnolia.cms.filters.FilterDecorator? You might need to place it on a correct position in the filter chain (possibly before servlets)

Hope that helps.

Roman