Revert changes for CSRFTOken validation in GAM layer.

claudiamurialdo · claudiamurialdo · commit 427e4f5fc15a · 2023-08-22T10:09:15.000-03:00
diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs
@@ -92,7 +92,6 @@ public class HttpHelper
 		const string GAM_CODE_OTP_USER_ACCESS_CODE_SENT = "400";
 		const string GAM_CODE_TFA_USER_MUST_VALIDATE = "410";
 		const string GAM_CODE_TOKEN_EXPIRED = "103";
-		const string GAM_CODE_CSRF_INVALID_TOKEN = "550";
 		static Regex CapitalsToTitle = new Regex(@"(?<=[A-Z])(?=[A-Z][a-z]) | (?<=[^A-Z])(?=[A-Z]) | (?<=[A-Za-z])(?=[^A-Za-z])", RegexOptions.IgnorePatternWhitespace);
 
 		const string CORS_MAX_AGE_SECONDS = "86400";
@@ -254,10 +253,6 @@ private static HttpStatusCode GamCodeToHttpStatus(string code, HttpStatusCode de
 			{
 				return HttpStatusCode.Forbidden;
 			}
-			else if (code == GAM_CODE_CSRF_INVALID_TOKEN)
-			{
-				return HttpStatusCode.BadRequest;
-			}
 			return defaultCode;
 		}
 		private static void SetJsonError(HttpContext httpContext, string statusCode, string statusDescription)
diff --git a/dotnet/src/dotnetframework/GxClasses/Security/GxSecurityProvider.cs b/dotnet/src/dotnetframework/GxClasses/Security/GxSecurityProvider.cs
@@ -20,9 +20,7 @@ public class OutData : Dictionary<string, object>
 	public interface ISecurityProvider
 	{
 		GxResult checkaccesstoken(IGxContext context, String token, out bool isOK);
-		GxResult checkaccesstoken(IGxContext context, bool useCSRF_Token, out string CSRF_Token, out bool isOK);
 		GxResult checkaccesstokenprm(IGxContext context, String token, String permissionPrefix, out bool sessionOk, out bool permissionOk);
-		GxResult checkaccesstokenprm(IGxContext context, bool useCSRF_Token, string permissionName, out string CSRF_Token, out bool sessionOk, out bool permission);
 		void checksession(IGxContext context, string CleanAbsoluteUri, out bool isOK);
 		void checksessionprm(IGxContext context, string pathAndQuery, String permissionPrefix, out bool isOK, out bool isPermissionOK);
 		GxResult refreshtoken(IGxContext context, String clientId, String clientSecret, String refreshToken, out OutData outData, out bool flag);
@@ -90,25 +88,12 @@ public GxResult checkaccesstoken(IGxContext context, string token, out bool isOK
 			isOK = false;
 			return new GxResult();
 		}
-		public GxResult checkaccesstoken(IGxContext context, bool useCSRF_Token, out string CSRF_Token, out bool isOK)
-		{
-			isOK = false;
-			CSRF_Token = string.Empty;
-			return new GxResult();
-		}
 		public GxResult checkaccesstokenprm(IGxContext context, string token, string permissionPrefix, out bool sessionOk, out bool permissionOk)
 		{
 			permissionOk = false;
 			sessionOk = true;
 			return new GxResult();
 		}
-		public GxResult checkaccesstokenprm(IGxContext context, bool useCSRF_Token, string permissionName, out string CSRF_Token, out bool sessionOk, out bool permission)
-		{
-			sessionOk = false;
-			permission = false;
-			CSRF_Token = string.Empty;
-			return new GxResult();
-		}
 		public void checksession(IGxContext context, string CleanAbsoluteUri, out bool isOK)
 		{
 			isOK = false;
diff --git a/dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs b/dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs
@@ -459,34 +459,23 @@ private bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool o
 				}
 				else
 				{
-					
-					string CSRFToken;
-					bool validateCSRFToken = false;//RestAPIHelpers.ValidateCsrfToken(); ;
+					token = token.Replace("OAuth ", "");
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, validateCSRFToken, out CSRFToken, out isOK);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, token, out isOK);
 						if (!isOK)
 						{
 							HttpHelper.SetGamError(httpContext, result.Code, result.Description);
 							return false;
 						}
-						else
-						{
-							if (!string.IsNullOrEmpty(CSRFToken))
-								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
-						}
-									
 					}
 					else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)
 					{
 						bool sessionOk, permissionOk;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, validateCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, token, objPermissionPrefix, out sessionOk, out permissionOk);
 						if (permissionOk)
 						{
-							if (!string.IsNullOrEmpty(CSRFToken))
-								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
-
 							return true;
 						}
 						else
diff --git a/dotnet/src/dotnetframework/GxClasses/Services/GxRestWrapper.cs b/dotnet/src/dotnetframework/GxClasses/Services/GxRestWrapper.cs
@@ -567,31 +567,23 @@ protected bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool
 				}
 				else
 				{
-					string CSRFToken;
-					bool validateCSRFToken = false;// RestAPIHelpers.ValidateCsrfToken();
+					token = token.Replace("OAuth ", "");
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, validateCSRFToken, out CSRFToken, out isOK);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, token, out isOK);
 						if (!isOK)
 						{
 							HttpHelper.SetGamError(_httpContext, result.Code, result.Description);
 							return false;
 						}
-						else
-						{
-							if (!string.IsNullOrEmpty(CSRFToken))
-								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
-						}
 					}
 					else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)
 					{
 						bool sessionOk, permissionOk;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, validateCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, token, objPermissionPrefix, out sessionOk, out permissionOk);
 						if (permissionOk)
 						{
-							if (!string.IsNullOrEmpty(CSRFToken))
-								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
 							return true;
 						}
 						else

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,6 @@ public class HttpHelper`
`92`	`92`	`const string GAM_CODE_OTP_USER_ACCESS_CODE_SENT = "400";`
`93`	`93`	`const string GAM_CODE_TFA_USER_MUST_VALIDATE = "410";`
`94`	`94`	`const string GAM_CODE_TOKEN_EXPIRED = "103";`
`95`		`- const string GAM_CODE_CSRF_INVALID_TOKEN = "550";`
`96`	`95`	`static Regex CapitalsToTitle = new Regex(@"(?<=[A-Z])(?=[A-Z][a-z]) \| (?<=[^A-Z])(?=[A-Z]) \| (?<=[A-Za-z])(?=[^A-Za-z])", RegexOptions.IgnorePatternWhitespace);`
`97`	`96`
`98`	`97`	`const string CORS_MAX_AGE_SECONDS = "86400";`
`@@ -254,10 +253,6 @@ private static HttpStatusCode GamCodeToHttpStatus(string code, HttpStatusCode de`
`254`	`253`	`{`
`255`	`254`	`return HttpStatusCode.Forbidden;`
`256`	`255`	`}`
`257`		`- else if (code == GAM_CODE_CSRF_INVALID_TOKEN)`
`258`		`- {`
`259`		`- return HttpStatusCode.BadRequest;`
`260`		`- }`
`261`	`256`	`return defaultCode;`
`262`	`257`	`}`
`263`	`258`	`private static void SetJsonError(HttpContext httpContext, string statusCode, string statusDescription)`
Original file line number	Diff line number	Diff line change
`@@ -459,34 +459,23 @@ private bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool o`
`459`	`459`	`}`
`460`	`460`	`else`
`461`	`461`	`{`
`462`		`-`
`463`		`- string CSRFToken;`
`464`		`- bool validateCSRFToken = false;//RestAPIHelpers.ValidateCsrfToken(); ;`
	`462`	`+ token = token.Replace("OAuth ", "");`
`465`	`463`	`if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)`
`466`	`464`	`{`
`467`	`465`	`bool isOK;`
`468`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, validateCSRFToken, out CSRFToken, out isOK);`
	`466`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, token, out isOK);`
`469`	`467`	`if (!isOK)`
`470`	`468`	`{`
`471`	`469`	`HttpHelper.SetGamError(httpContext, result.Code, result.Description);`
`472`	`470`	`return false;`
`473`	`471`	`}`
`474`		`- else`
`475`		`- {`
`476`		`- if (!string.IsNullOrEmpty(CSRFToken))`
`477`		`- AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
`478`		`- }`
`479`		`-`
`480`	`472`	`}`
`481`	`473`	`else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)`
`482`	`474`	`{`
`483`	`475`	`bool sessionOk, permissionOk;`
`484`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, validateCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);`
	`476`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, token, objPermissionPrefix, out sessionOk, out permissionOk);`
`485`	`477`	`if (permissionOk)`
`486`	`478`	`{`
`487`		`- if (!string.IsNullOrEmpty(CSRFToken))`
`488`		`- AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
`489`		`-`
`490`	`479`	`return true;`
`491`	`480`	`}`
`492`	`481`	`else`
Original file line number	Diff line number	Diff line change
`@@ -567,31 +567,23 @@ protected bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool`
`567`	`567`	`}`
`568`	`568`	`else`
`569`	`569`	`{`
`570`		`- string CSRFToken;`
`571`		`- bool validateCSRFToken = false;// RestAPIHelpers.ValidateCsrfToken();`
	`570`	`+ token = token.Replace("OAuth ", "");`
`572`	`571`	`if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)`
`573`	`572`	`{`
`574`	`573`	`bool isOK;`
`575`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, validateCSRFToken, out CSRFToken, out isOK);`
	`574`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, token, out isOK);`
`576`	`575`	`if (!isOK)`
`577`	`576`	`{`
`578`	`577`	`HttpHelper.SetGamError(_httpContext, result.Code, result.Description);`
`579`	`578`	`return false;`
`580`	`579`	`}`
`581`		`- else`
`582`		`- {`
`583`		`- if (!string.IsNullOrEmpty(CSRFToken))`
`584`		`- AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
`585`		`- }`
`586`	`580`	`}`
`587`	`581`	`else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)`
`588`	`582`	`{`
`589`	`583`	`bool sessionOk, permissionOk;`
`590`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, validateCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);`
	`584`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, token, objPermissionPrefix, out sessionOk, out permissionOk);`
`591`	`585`	`if (permissionOk)`
`592`	`586`	`{`
`593`		`- if (!string.IsNullOrEmpty(CSRFToken))`
`594`		`- AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
`595`	`587`	`return true;`
`596`	`588`	`}`
`597`	`589`	`else`