Changes report: Merge pull request #1501 from GandalfTheBlack16/master

 Add option to get the CSRF token from the Session Storage

Author: bnasslahsen

springdoc-openapi-starter-common/src/main/java/org/springdoc/core/properties/SwaggerUiConfigProperties.java

@@ -149,6 +149,11 @@ public static class Csrf {
 		 */
 		private boolean useLocalStorage;
 
+		/**
+		 * Use Session storage.
+		 */
+		private boolean useSessionStorage;
+
 		/**
 		 * The Cookie name.
 		 */
@@ -159,6 +164,11 @@ public static class Csrf {
 		 */
 		private String localStorageKey = Constants.CSRF_DEFAULT_LOCAL_STORAGE_KEY;
 
+		/**
+		 * The Session storage key.
+		 */
+		private String sessionStorageKey = Constants.CSRF_DEFAULT_LOCAL_STORAGE_KEY;
+
 		/**
 		 * The Header name.
 		 */
@@ -191,6 +201,15 @@ public boolean isUseLocalStorage() {
 			return useLocalStorage;
 		}
 
+		/**
+		 * Use Session storage boolean.
+		 *
+		 * @return the boolean
+		 */
+		public boolean isUseSessionStorage() {
+			return useSessionStorage;
+		}
+
 		/**
 		 * Sets useLocalStorage.
 		 *
@@ -200,6 +219,15 @@ public void setUseLocalStorage(boolean useLocalStorage) {
 			this.useLocalStorage = useLocalStorage;
 		}
 
+		/**
+		 * Sets useSessionStorage.
+		 *
+		 * @param useSessionStorage the use local storage
+		 */
+		public void setUseSessionStorage(boolean useSessionStorage) {
+			this.useSessionStorage = useSessionStorage;
+		}
+
 		/**
 		 * Gets cookie name.
 		 *
@@ -227,6 +255,15 @@ public String getLocalStorageKey() {
 			return localStorageKey;
 		}
 
+		/**
+		 * Gets session storage key.
+		 *
+		 * @return the cookie name
+		 */
+		public String getSessionStorageKey() {
+			return sessionStorageKey;
+		}
+
 		/**
 		 * Sets local storage key.
 		 *
@@ -236,6 +273,15 @@ public void setLocalStorageKey(String localStorageKey) {
 			this.localStorageKey = localStorageKey;
 		}
 
+		/**
+		 * Sets local storage key.
+		 *
+		 * @param sessionStorageKey the local storage key
+		 */
+		public void setSessionStorageKey(String sessionStorageKey) {
+			this.sessionStorageKey = sessionStorageKey;
+		}
+
 		/**
 		 * Gets header name.
 		 *

springdoc-openapi-starter-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java

@@ -1,6 +1,7 @@
 /*
  *
  *  *
+ *  *  * Copyright 2019-2020 the original author or authors.
  *  *  *
  *  *  *  * Copyright 2019-2022 the original author or authors.
  *  *  *  *
@@ -147,6 +148,8 @@ protected String defaultTransformations(InputStream inputStream) throws IOExcept
 		if (swaggerUiConfig.isCsrfEnabled()) {
 			if (swaggerUiConfig.getCsrf().isUseLocalStorage())
 				html = addCSRFLocalStorage(html);
+			else if (swaggerUiConfig.getCsrf().isUseSessionStorage())
+				html = addCSRFSessionStorage(html);
 			else
 				html = addCSRF(html);
 		}
@@ -228,16 +231,40 @@ protected String addCSRF(String html) {
 	protected String addCSRFLocalStorage(String html) {
 		StringBuilder stringBuilder = new StringBuilder();
 		stringBuilder.append("requestInterceptor: (request) => {\n");
-		stringBuilder.append("t\t\tconst value = window.localStorage.getItem('");
+		stringBuilder.append("\t\t\tconst value = window.localStorage.getItem('");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getLocalStorageKey() + "');\n");
-		stringBuilder.append("t\t\tconst currentURL = new URL(document.URL);\n");
-		stringBuilder.append("t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
-		stringBuilder.append("t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
-		stringBuilder.append("t\t\tif (isSameOrigin) ");
+		stringBuilder.append("\t\t\tconst currentURL = new URL(document.URL);\n");
+		stringBuilder.append("\t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
+		stringBuilder.append("\t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
+		stringBuilder.append("\t\t\tif (isSameOrigin) ");
 		stringBuilder.append("request.headers['");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
 		stringBuilder.append("'] = value;\n");
-		stringBuilder.append("t\t\treturn request;\n");
+		stringBuilder.append("\t\t\treturn request;\n");
+		stringBuilder.append("\t\t},\n");
+		stringBuilder.append("\t\t" + PRESETS);
+		return html.replace(PRESETS, stringBuilder.toString());
+	}
+
+	/**
+	 * Add csrf string from Session storage.
+	 *
+	 * @param html the html
+	 * @return the string
+	 */
+	protected String addCSRFSessionStorage(String html) {
+		StringBuilder stringBuilder = new StringBuilder();
+		stringBuilder.append("requestInterceptor: (request) => {\n");
+		stringBuilder.append("\t\t\tconst value = window.sessionStorage.getItem('");
+		stringBuilder.append(swaggerUiConfig.getCsrf().getSessionStorageKey() + "');\n");
+		stringBuilder.append("\t\t\tconst currentURL = new URL(document.URL);\n");
+		stringBuilder.append("\t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
+		stringBuilder.append("\t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
+		stringBuilder.append("\t\t\tif (isSameOrigin) ");
+		stringBuilder.append("request.headers['");
+		stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
+		stringBuilder.append("'] = value.replace(/['\"]+/g,'');\n");
+		stringBuilder.append("\t\t\treturn request;\n");
 		stringBuilder.append("\t\t},\n");
 		stringBuilder.append("\t\t" + PRESETS);
 		return html.replace(PRESETS, stringBuilder.toString());