Incorporate CSRF token handling into the GAM security provider.

dotnet/src/dotnetframework/GxClasses/Core/gxconfig.cs

@@ -794,7 +794,7 @@ public class Preferences
 		public static string DefaultRewriteFile = "rewrite.config";
 		const string USE_NAMED_PARAMETERS = "UseNamedParameters";
 		const string REST_DATES_WITH_MILLIS = "REST_DATES_WITH_MILLIS";
-		const string YES = "1";
+		internal const string YES = "1";
 		const string NO = "0";
 		static string defaultDatastore;
 		const string DEFAULT_DS = "Default";
@@ -867,9 +867,9 @@ public static bool RewriteEnabled
 				if (rewriteEnabled == -1)
 				{
 #if NETCORE
-					var basePath = FileUtil.GetBasePath();
+					string basePath = FileUtil.GetBasePath();
 #else
-					var basePath = Directory.GetParent(FileUtil.GetStartupDirectory()).FullName;
+					string basePath = Directory.GetParent(FileUtil.GetStartupDirectory()).FullName;
 #endif
 					string rewriteFile = Path.Combine(basePath, DefaultRewriteFile);
 					rewriteEnabled = File.Exists(rewriteFile)?1:0;

dotnet/src/dotnetframework/GxClasses/Helpers/GXRestUtils.cs

@@ -11,8 +11,7 @@
 using log4net;
 using System.IO;
 using Jayrock.Json;
-
-
+using GeneXus.Configuration;
 
 namespace GeneXus.Utils
 {
@@ -140,5 +139,10 @@ public static Dictionary<string, object> ReadRestBodyParameters(Stream stream)
 			}
 			return bodyParameters;
 		}
+
+		internal static bool ValidateCsrfToken()
+		{
+			return Config.GetValueOf("ValidateCSRF", Preferences.YES) == Preferences.YES;
+		}
 	}
 }

dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs

@@ -50,6 +50,7 @@ public class HttpHeader
 		public static string XGXFILENAME = "x-gx-filename";
 		internal static string ACCEPT = "Accept";
 		internal static string TRANSFER_ENCODING = "Transfer-Encoding";
+		internal static string X_GXCSRF_TOKEN = "X-GXCSRF-TOKEN";
 	}
 	internal class HttpHeaderValue
 	{
@@ -91,6 +92,7 @@ public class HttpHelper
 		const string GAM_CODE_OTP_USER_ACCESS_CODE_SENT = "400";
 		const string GAM_CODE_TFA_USER_MUST_VALIDATE = "410";
 		const string GAM_CODE_TOKEN_EXPIRED = "103";
+		const string GAM_CODE_CSRF_INVALID_TOKEN = "550";
 		static Regex CapitalsToTitle = new Regex(@"(?<=[A-Z])(?=[A-Z][a-z]) | (?<=[^A-Z])(?=[A-Z]) | (?<=[A-Za-z])(?=[^A-Za-z])", RegexOptions.IgnorePatternWhitespace);
 
 		const string CORS_MAX_AGE_SECONDS = "86400";
@@ -252,6 +254,10 @@ private static HttpStatusCode GamCodeToHttpStatus(string code, HttpStatusCode de
 			{
 				return HttpStatusCode.Forbidden;
 			}
+			else if (code == GAM_CODE_CSRF_INVALID_TOKEN)
+			{
+				return HttpStatusCode.BadRequest;
+			}
 			return defaultCode;
 		}
 		private static void SetJsonError(HttpContext httpContext, string statusCode, string statusDescription)

dotnet/src/dotnetframework/GxClasses/Security/GxSecurityProvider.cs

@@ -20,7 +20,9 @@ public class OutData : Dictionary<string, object>
 	public interface ISecurityProvider
 	{
 		GxResult checkaccesstoken(IGxContext context, String token, out bool isOK);
+		GxResult checkaccesstoken(IGxContext context, bool useCSRF_Token, out string CSRF_Token, out bool isOK);
 		GxResult checkaccesstokenprm(IGxContext context, String token, String permissionPrefix, out bool sessionOk, out bool permissionOk);
+		GxResult checkaccesstokenprm(IGxContext context, bool useCSRF_Token, string permissionName, out string CSRF_Token, out bool sessionOk, out bool permission);
 		void checksession(IGxContext context, string CleanAbsoluteUri, out bool isOK);
 		void checksessionprm(IGxContext context, string pathAndQuery, String permissionPrefix, out bool isOK, out bool isPermissionOK);
 		GxResult refreshtoken(IGxContext context, String clientId, String clientSecret, String refreshToken, out OutData outData, out bool flag);
@@ -88,14 +90,25 @@ public GxResult checkaccesstoken(IGxContext context, string token, out bool isOK
 			isOK = false;
 			return new GxResult();
 		}
-
+		public GxResult checkaccesstoken(IGxContext context, bool useCSRF_Token, out string CSRF_Token, out bool isOK)
+		{
+			isOK = false;
+			CSRF_Token = string.Empty;
+			return new GxResult();
+		}
 		public GxResult checkaccesstokenprm(IGxContext context, string token, string permissionPrefix, out bool sessionOk, out bool permissionOk)
 		{
 			permissionOk = false;
 			sessionOk = true;
 			return new GxResult();
 		}
-
+		public GxResult checkaccesstokenprm(IGxContext context, bool useCSRF_Token, string permissionName, out string CSRF_Token, out bool sessionOk, out bool permission)
+		{
+			sessionOk = false;
+			permission = false;
+			CSRF_Token = string.Empty;
+			return new GxResult();
+		}
 		public void checksession(IGxContext context, string CleanAbsoluteUri, out bool isOK)
 		{
 			isOK = false;

dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs

@@ -450,23 +450,34 @@ private bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool o
 				else
 				{
 
-					token = token.Replace("OAuth ", "");
+					string CSRFToken;
+					bool validateCSRFToken = false;
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, token, out isOK);
+						validateCSRFToken = RestAPIHelpers.ValidateCsrfToken();
+						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, validateCSRFToken, out CSRFToken, out isOK);
 						if (!isOK)
 						{
 							HttpHelper.SetGamError(httpContext, result.Code, result.Description);
 							return false;
 						}
+						else
+						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
+						}
+
 					}
 					else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)
 					{
 						bool sessionOk, permissionOk;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, token, objPermissionPrefix, out sessionOk, out permissionOk);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, validateCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);
 						if (permissionOk)
 						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
+
 							return true;
 						}
 						else

dotnet/src/dotnetframework/GxClasses/Services/GxRestWrapper.cs

@@ -567,24 +567,32 @@ protected bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool
 				}
 				else
 				{
-
-					token = token.Replace("OAuth ", "");
+					string CSRFToken;
+					bool validateCSRFToken = false;
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, token, out isOK);
+						validateCSRFToken = RestAPIHelpers.ValidateCsrfToken();
+						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, validateCSRFToken, out CSRFToken, out isOK);
 						if (!isOK)
 						{
 							HttpHelper.SetGamError(_httpContext, result.Code, result.Description);
 							return false;
 						}
+						else
+						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
+						}
 					}
 					else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)
 					{
 						bool sessionOk, permissionOk;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, token, objPermissionPrefix, out sessionOk, out permissionOk);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, validateCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);
 						if (permissionOk)
 						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
 							return true;
 						}
 						else