Merge pull request #511 from nextcloud/enhancement/csrf-expiry-retry-handler

Add retry handler for expired CSRF tokens

Author: st3iny

lib/index.ts

@@ -1,7 +1,8 @@
 import Axios, { AxiosInstance, CancelTokenStatic } from 'axios'
 import { getRequestToken, onRequestTokenUpdate } from '@nextcloud/auth'
 
-import { onError } from './interceptors/maintenance-mode'
+import { onError as onCsrfTokenError } from './interceptors/csrf-token'
+import { onError as onMaintenanceModeError } from './interceptors/maintenance-mode'
 
 interface CancelableAxiosInstance extends AxiosInstance {
 	CancelToken: CancelTokenStatic
@@ -18,7 +19,8 @@ const cancelableClient: CancelableAxiosInstance = Object.assign(client, {
 	isCancel: Axios.isCancel,
 })
 
-cancelableClient.interceptors.response.use(r => r, onError(cancelableClient))
+cancelableClient.interceptors.response.use(r => r, onCsrfTokenError(cancelableClient))
+cancelableClient.interceptors.response.use(r => r, onMaintenanceModeError(cancelableClient))
 
 onRequestTokenUpdate(token => client.defaults.headers.requesttoken = token)
 

lib/interceptors/csrf-token.ts

@@ -0,0 +1,29 @@
+import { generateUrl } from '@nextcloud/router'
+
+const RETRY_KEY = Symbol('csrf-retry')
+
+export const onError = axios => async (error) => {
+	const { config, response, request: { responseURL } } = error
+	const { status } = response
+
+	if (status === 412
+		&& response?.data?.message === 'CSRF check failed'
+		&& config[RETRY_KEY] === undefined) {
+		console.warn(`Request to ${responseURL} failed because of a CSRF mismatch. Fetching a new token`)
+
+		const { data: { token } } = await axios.get(generateUrl('/csrftoken'))
+		console.debug(`New request token ${token} fetched`)
+		axios.defaults.headers.requesttoken = token
+
+		return axios({
+			...config,
+			headers: {
+				...config.headers,
+				requesttoken: token,
+			},
+			[RETRY_KEY]: true,
+		})
+	}
+
+	return Promise.reject(error)
+}

package-lock.json

@@ -16,8 +16,8 @@
 		"build": "rollup --config rollup.config.js",
 		"check-types": "tsc",
 		"dev": "rollup --config rollup.config.js --watch",
-		"test": "jest",
-		"test:watch": "jest --watchAll"
+		"test": "jest --setupFiles '<rootDir>/test/setup.js'",
+		"test:watch": "jest --setupFiles '<rootDir>/test/setup.js' --watchAll"
 	},
 	"repository": {
 		"type": "git",
@@ -37,6 +37,7 @@
 	"homepage": "https://github.com/nextcloud/nextcloud-axios#readme",
 	"dependencies": {
 		"@nextcloud/auth": "^2.0.0",
+		"@nextcloud/router": "^2.0.0",
 		"axios": "^0.27.2",
 		"tslib": "^2.4.0"
 	},

package.json

@@ -0,0 +1,88 @@
+import { onError } from '../../lib/interceptors/csrf-token'
+
+describe('CSRF token', () => {
+
+    let axiosMock
+    let interceptor
+
+    beforeEach(() => {
+        axiosMock = jest.fn()
+        axiosMock.get = jest.fn()
+        axiosMock.defaults = {
+            headers: {
+                requesttoken: 'old',
+            },
+        },
+        interceptor = onError(axiosMock)
+    })
+
+    it('does not retry successful requests', async () => {
+        try {
+            await interceptor({
+                config: {},
+                response: {
+                    status: 200,
+                    headers: {},
+                },
+                request: {
+                    responseURL: '/some/url',
+                },
+            })
+        } catch (e) {
+            expect(e.response.status).toBe(200)
+            expect(axiosMock).not.toHaveBeenCalled()
+            return
+        }
+        fail('Should not be reached')
+    })
+
+    it('does not retry if header missing', async () => {
+        try {
+            await interceptor({
+                config: {
+                    retryIfMaintenanceMode: true,
+                },
+                response: {
+                    status: 412,
+                    headers: {},
+                },
+                request: {
+                    responseURL: '/some/url',
+                },
+            })
+        } catch (e) {
+            expect(e.response.status).toBe(412)
+            expect(axiosMock).not.toHaveBeenCalled()
+            return
+        }
+        fail('Should not be reached')
+    })
+
+    it('does retry', async () => {
+        axiosMock.mockReturnValue({
+            status: 200,
+        })
+        axiosMock.get.mockReturnValue(Promise.resolve({
+            data: {
+                token: '123',
+            },
+            headers: {},
+        }))
+        const response = await interceptor({
+            config: {},
+            response: {
+                status: 412,
+                data: {
+                    message: 'CSRF check failed',
+                },
+            },
+            request: {
+                responseURL: '/some/url',
+            },
+        })
+        expect(axiosMock).toHaveBeenCalled()
+        expect(axiosMock.get).toHaveBeenCalled()
+        expect(axiosMock.defaults.headers.requesttoken).toBe('123')
+        expect(response?.status).toBe(200)
+    })
+})

test/interceptors/csrf-token.test.js

@@ -0,0 +1,8 @@
+global.OC = {
+	config: {
+        modRewriteWorking: true,
+    },
+    isUserAdmin() {
+        return false
+    },
+}