fix(OC): validate request token and move logic to one place

Signed-off-by: Ferdinand Thiessen <[email protected]>
nextcloud · AndyScherzinger · Jun 17, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025
commit d332a22e7815a0eb25cf5093539d6c97c3e6f7fe
diff --git a/__tests__/FixJSDOMEnvironment.ts b/__tests__/FixJSDOMEnvironment.ts
@@ -2,16 +2,17 @@
  * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
-import JSDOMEnvironment from 'jest-environment-jsdom'
+import FixedJSDOMEnvironment from 'jest-fixed-jsdom'
 
 // https://github.com/facebook/jest/blob/v29.4.3/website/versioned_docs/version-29.4/Configuration.md#testenvironment-string
-export default class FixJSDOMEnvironment extends JSDOMEnvironment {
+export default class FixJSDOMEnvironment extends FixedJSDOMEnvironment {
 
-	constructor(...args: ConstructorParameters<typeof JSDOMEnvironment>) {
+	constructor(...args: ConstructorParameters<typeof FixedJSDOMEnvironment>) {
 		super(...args)
 
 		// https://github.com/jsdom/jsdom/issues/3363
 		// 31 ad above switched to vitest and don't have that issue
+		// @ts-expect-error see JSDOMEnvironment
 		this.global.structuredClone = structuredClone
 	}
 

diff --git a/__tests__/mock-window.js b/__tests__/mock-window.js
@@ -6,3 +6,5 @@
 window.OC = { ...window.OC }
 window.OCA = { ...window.OCA }
 window.OCP = { ...window.OCP }
+
+window._oc_webroot = ''
diff --git a/core/src/OC/index.js b/core/src/OC/index.js
@@ -49,9 +49,7 @@ import {
 	getPort,
 	getProtocol,
 } from './host.js'
-import {
-	getToken as getRequestToken,
-} from './requesttoken.ts'
+import { getRequestToken } from './requesttoken.ts'
 import {
 	hideMenus,
 	registerMenu,

diff --git a/core/src/OC/requesttoken.ts b/core/src/OC/requesttoken.ts
@@ -4,36 +4,46 @@
  */
 
 import { emit } from '@nextcloud/event-bus'
+import { generateUrl } from '@nextcloud/router'
 
 /**
- * @private
- * @param {Document} global the document to read the initial value from
- * @param {Function} emit the function to invoke for every new token
- * @return {object}
+ * Get the current CSRF token.
  */
-export const manageToken = (global, emit) => {
-	let token = global.getElementsByTagName('head')[0].getAttribute('data-requesttoken')
-
-	return {
-		getToken: () => token,
-		setToken: newToken => {
-			token = newToken
-
-			emit('csrf-token-update', {
-				token,
-			})
-		},
-	}
+export function getRequestToken(): string {
+	return document.head.dataset.requesttoken!
 }
 
-const manageFromDocument = manageToken(document, emit)
-
 /**
- * @return {string}
+ * Set a new CSRF token (e.g. because of session refresh).
+ * This also emits an event bus event for the updated token.
+ *
+ * @param token - The new token
+ * @fires Error - If the passed token is not a potential valid token
  */
-export const getToken = manageFromDocument.getToken
+export function setRequestToken(token: string): void {
+	if (!token || typeof token !== 'string') {
+		throw new Error('Invalid CSRF token given', { cause: { token } })
+	}
+
+	document.head.dataset.requesttoken = token
+	emit('csrf-token-update', { token })
+}
 
 /**
- * @param {string} newToken new token
+ * Fetch the request token from the API.
+ * This does also set it on the current context, see `setRequestToken`.
+ *
+ * @fires Error - If the request failed
  */
-export const setToken = manageFromDocument.setToken
+export async function fetchRequestToken(): Promise<string> {
+	const url = generateUrl('/csrftoken')
+
+	const response = await fetch(url)
+	if (!response.ok) {
+		throw new Error('Could not fetch CSRF token from API', { cause: response })
+	}
+
+	const { token } = await response.json()
+	setRequestToken(token)
+	return token
+}
diff --git a/core/src/globals.js b/core/src/globals.js
@@ -29,7 +29,7 @@ import 'strengthify/strengthify.css'
 import OC from './OC/index.js'
 import OCP from './OCP/index.js'
 import OCA from './OCA/index.js'
-import { getToken as getRequestToken } from './OC/requesttoken.ts'
+import { getRequestToken } from './OC/requesttoken.ts'
 
 const warnIfNotTesting = function() {
 	if (window.TESTING === undefined) {

diff --git a/core/src/jquery/requesttoken.js b/core/src/jquery/requesttoken.js
@@ -5,11 +5,11 @@
 
 import $ from 'jquery'
 
-import { getToken } from '../OC/requesttoken.ts'
+import { getRequestToken } from '../OC/requesttoken.ts'
 
 $(document).on('ajaxSend', function(elm, xhr, settings) {
 	if (settings.crossDomain === false) {
-		xhr.setRequestHeader('requesttoken', getToken())
+		xhr.setRequestHeader('requesttoken', getRequestToken())
 		xhr.setRequestHeader('OCS-APIREQUEST', 'true')
 	}
 })
diff --git a/core/src/tests/OC/requesttoken.spec.js b/core/src/tests/OC/requesttoken.spec.js
diff --git a/core/src/tests/OC/requesttoken.spec.ts b/core/src/tests/OC/requesttoken.spec.ts
@@ -0,0 +1,147 @@
+/**
+ * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { setupServer } from 'msw/node'
+import { http, HttpResponse } from 'msw'
+import { beforeAll, beforeEach, describe, expect, it, jest } from '@jest/globals'
+import { fetchRequestToken, getRequestToken, setRequestToken } from '../../OC/requesttoken.ts'
+import * as eventbus from '@nextcloud/event-bus'
+
+jest.mock('@nextcloud/event-bus', () => ({ emit: jest.fn() }))
+
+const server = setupServer()
+
+describe('getRequestToken', () => {
+	it('can read the token from DOM', () => {
+		mockToken('tokenmock-123')
+		expect(getRequestToken()).toBe('tokenmock-123')
+	})
+
+	it('can handle missing token', () => {
+		mockToken(undefined)
+		expect(getRequestToken()).toBeUndefined()
+	})
+})
+
+describe('setRequestToken', () => {
+	beforeEach(() => {
+		jest.resetAllMocks()
+	})
+
+	it('does emit an event on change', () => {
+		setRequestToken('new-token')
+		expect(eventbus.emit).toBeCalledTimes(1)
+		expect(eventbus.emit).toBeCalledWith('csrf-token-update', { token: 'new-token' })
+	})
+
+	it('does set the new token to the DOM', () => {
+		setRequestToken('new-token')
+		expect(document.head.dataset.requesttoken).toBe('new-token')
+	})
+
+	it('does remember the new token', () => {
+		mockToken('old-token')
+		setRequestToken('new-token')
+		expect(getRequestToken()).toBe('new-token')
+	})
+
+	it('throws if the token is not a string', () => {
+		// @ts-expect-error mocking
+		expect(() => setRequestToken(123)).toThrowError('Invalid CSRF token given')
+	})
+
+	it('throws if the token is not valid', () => {
+		expect(() => setRequestToken('')).toThrowError('Invalid CSRF token given')
+	})
+
+	it('does not emit an event if the token is not valid', () => {
+		expect(() => setRequestToken('')).toThrowError('Invalid CSRF token given')
+		expect(eventbus.emit).not.toBeCalled()
+	})
+})
+
+describe('fetchRequestToken', () => {
+	const successfullCsrf = http.get('/index.php/csrftoken', () => {
+		return HttpResponse.json({ token: 'new-token' })
+	})
+	const forbiddenCsrf = http.get('/index.php/csrftoken', () => {
+		return HttpResponse.json([], { status: 403 })
+	})
+	const serverErrorCsrf = http.get('/index.php/csrftoken', () => {
+		return HttpResponse.json([], { status: 500 })
+	})
+	const networkErrorCsrf = http.get('/index.php/csrftoken', () => {
+		return new HttpResponse(null, { type: 'error' })
+	})
+
+	beforeAll(() => {
+		server.listen()
+	})
+
+	beforeEach(() => {
+		jest.resetAllMocks()
+	})
+
+	it('correctly parses response', async () => {
+		server.use(successfullCsrf)
+
+		mockToken('oldToken')
+		const token = await fetchRequestToken()
+		expect(token).toBe('new-token')
+	})
+
+	it('sets the token', async () => {
+		server.use(successfullCsrf)
+
+		mockToken('oldToken')
+		await fetchRequestToken()
+		expect(getRequestToken()).toBe('new-token')
+	})
+
+	it('does emit an event', async () => {
+		server.use(successfullCsrf)
+
+		await fetchRequestToken()
+		expect(eventbus.emit).toBeCalledTimes(1)
+		expect(eventbus.emit).toBeCalledWith('csrf-token-update', { token: 'new-token' })
+	})
+
+	it('handles 403 error due to invalid cookies', async () => {
+		server.use(forbiddenCsrf)
+
+		mockToken('oldToken')
+		await expect(() => fetchRequestToken()).rejects.toThrowError('Could not fetch CSRF token from API')
+		expect(getRequestToken()).toBe('oldToken')
+	})
+
+	it('handles server error', async () => {
+		server.use(serverErrorCsrf)
+
+		mockToken('oldToken')
+		await expect(() => fetchRequestToken()).rejects.toThrowError('Could not fetch CSRF token from API')
+		expect(getRequestToken()).toBe('oldToken')
+	})
+
+	it('handles network error', async () => {
+		server.use(networkErrorCsrf)
+
+		mockToken('oldToken')
+		await expect(() => fetchRequestToken()).rejects.toThrow()
+		expect(getRequestToken()).toBe('oldToken')
+	})
+})
+
+/**
+ * Mock the request token directly so we can test reading it.
+ *
+ * @param token - The CSRF token to mock
+ */
+function mockToken(token?: string) {
+	if (token === undefined) {
+		delete document.head.dataset.requesttoken
+	} else {
+		document.head.dataset.requesttoken = token
+	}
+}
diff --git a/jest.config.ts b/jest.config.ts
@@ -44,6 +44,11 @@ const config: Config = {
 	],
 
 	testEnvironment: './__tests__/FixJSDOMEnvironment.ts',
+	testEnvironmentOptions: {
+		// https://mswjs.io/docs/migrations/1.x-to-2.x#cannot-find-module-mswnode-jsdom
+		customExportConditions: [''],
+	},
+
 	preset: 'ts-jest/presets/js-with-ts',
 
 	roots: [