SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException

[meouwu-dev]

springboot：3.2.1
springsecurity：6.2.1

When xsrf token is invalid, delegate.resolveCsrfTokenValue returns null, but the return type of SpaCsrfTokenRequestHandler.resolveCsrfTokenValue is not nullable, which causes NullPointerException

To Reproduce

Use the setup in csrf-integration-javascript-spa, and send a post request with invalid xsrf token, the server will throw NullPointerException.

Expected behavior

the server should throw InvalidCsrfTokenException

Possible solution

- override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String {
+ override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
        /*
         * If the request contains a request header, use CsrfTokenRequestAttributeHandler
         * to resolve the CsrfToken. This applies when a single-page application includes
         * the header value automatically, which was obtained via a cookie containing the
         * raw CsrfToken.
         */
        return if (StringUtils.hasText(request.getHeader(csrfToken.headerName))) {
            super.resolveCsrfTokenValue(request, csrfToken)
        } else {
            /*
             * In all other cases (e.g. if the request contains a request parameter), use
             * XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
             * when a server-side rendered form includes the _csrf request parameter as a
             * hidden input.
             */
            delegate.resolveCsrfTokenValue(request, csrfToken)
        }
    }

[jzheaux]

Hi, @meouwu-dev! I've tried applying the code from the reference and sent an invalid CSRF token; however, I get a 403 instead of a NullPointerException.

Can you please provide a reproducing GitHub sample? That will help get to the bottom of the issue faster.

If you like, you can push a commit to https://github.com/jzheaux/spring-security-samples/tree/gh-14634 to change its CSRF sample to better match what you are experiencing.

What I do after running that sample is the following:

http -a user:password POST :8080 Cookie:XSRF-TOKEN=c6e16183-bc43-40cf-8233-aba3959e2ce7 X-XSRF-TOKEN:c6e16183-bc43-40cf-8233-aba3959e2ce8

Note that the header value is invalid, while the repository is valid. The result is a 403.