feature #2022 [LiveComponent] Update CSRF token after component request (tijnema)

smnandre · smnandre · commit f2deb0f02ab0 · 2024-09-12T19:42:03.000+02:00
This PR was squashed before being merged into the 2.x branch. Discussion ---------- [LiveComponent] Update CSRF token after component request | Q | A | ------------- | --- | Bug fix? | yes | New feature? | yes | Issues | | License | MIT When CSRF is enabled on live components, each request will received a new CSRF token in the response. Currently all subsequent requests made by live components will use the initial CSRF token received. This PR solves this, by updating the CSRF token with the one received in the last response. Commits ------- 52ca1c9 [LiveComponent] Update CSRF token after component request
diff --git a/src/LiveComponent/assets/dist/Backend/Backend.d.ts b/src/LiveComponent/assets/dist/Backend/Backend.d.ts
@@ -13,6 +13,7 @@ export interface BackendInterface {
     }, files: {
         [key: string]: FileList;
     }): BackendRequest;
+    updateCsrfToken(csrfToken: string): void;
 }
 export interface BackendAction {
     name: string;
@@ -28,4 +29,5 @@ export default class implements BackendInterface {
     }, files: {
         [key: string]: FileList;
     }): BackendRequest;
+    updateCsrfToken(csrfToken: string): void;
 }
diff --git a/src/LiveComponent/assets/dist/Backend/RequestBuilder.d.ts b/src/LiveComponent/assets/dist/Backend/RequestBuilder.d.ts
@@ -2,7 +2,7 @@ import type { BackendAction, ChildrenFingerprints } from './Backend';
 export default class {
     private url;
     private method;
-    private readonly csrfToken;
+    private csrfToken;
     constructor(url: string, method?: 'get' | 'post', csrfToken?: string | null);
     buildRequest(props: any, actions: BackendAction[], updated: {
         [key: string]: any;
@@ -15,4 +15,5 @@ export default class {
         fetchOptions: RequestInit;
     };
     private willDataFitInUrl;
+    updateCsrfToken(csrfToken: string): void;
 }
diff --git a/src/LiveComponent/assets/dist/live_controller.js b/src/LiveComponent/assets/dist/live_controller.js
@@ -2052,6 +2052,9 @@ class Component {
                 return response;
             }
             this.processRerender(html, backendResponse);
+            if (this.element.dataset.liveCsrfValue) {
+                this.backend.updateCsrfToken(this.element.dataset.liveCsrfValue);
+            }
             this.backendRequest = null;
             thisPromiseResolve(backendResponse);
             if (this.isRequestPending) {
@@ -2325,6 +2328,9 @@ class RequestBuilder {
         const urlEncodedJsonData = new URLSearchParams(propsJson + updatedJson + childrenJson + propsFromParentJson).toString();
         return (urlEncodedJsonData + params.toString()).length < 1500;
     }
+    updateCsrfToken(csrfToken) {
+        this.csrfToken = csrfToken;
+    }
 }
 
 class Backend {
@@ -2335,6 +2341,9 @@ class Backend {
         const { url, fetchOptions } = this.requestBuilder.buildRequest(props, actions, updated, children, updatedPropsFromParent, files);
         return new BackendRequest(fetch(url, fetchOptions), actions.map((backendAction) => backendAction.name), Object.keys(updated));
     }
+    updateCsrfToken(csrfToken) {
+        this.requestBuilder.updateCsrfToken(csrfToken);
+    }
 }
 
 class StimulusElementDriver {
diff --git a/src/LiveComponent/assets/src/Backend/Backend.ts b/src/LiveComponent/assets/src/Backend/Backend.ts
@@ -15,6 +15,7 @@ export interface BackendInterface {
         updatedPropsFromParent: { [key: string]: any },
         files: { [key: string]: FileList }
     ): BackendRequest;
+    updateCsrfToken(csrfToken: string): void;
 }
 
 export interface BackendAction {
@@ -52,4 +53,8 @@ export default class implements BackendInterface {
             Object.keys(updated)
         );
     }
+
+    updateCsrfToken(csrfToken: string) {
+        this.requestBuilder.updateCsrfToken(csrfToken);
+    }
 }
diff --git a/src/LiveComponent/assets/src/Backend/RequestBuilder.ts b/src/LiveComponent/assets/src/Backend/RequestBuilder.ts
@@ -3,7 +3,7 @@ import type { BackendAction, ChildrenFingerprints } from './Backend';
 export default class {
     private url: string;
     private method: 'get' | 'post';
-    private readonly csrfToken: string | null;
+    private csrfToken: string | null;
 
     constructor(url: string, method: 'get' | 'post' = 'post', csrfToken: string | null = null) {
         this.url = url;
@@ -117,4 +117,8 @@ export default class {
         // if the URL gets remotely close to 2000 chars, it may not fit
         return (urlEncodedJsonData + params.toString()).length < 1500;
     }
+
+    updateCsrfToken(csrfToken: string) {
+        this.csrfToken = csrfToken;
+    }
 }
diff --git a/src/LiveComponent/assets/src/Component/index.ts b/src/LiveComponent/assets/src/Component/index.ts
@@ -329,6 +329,11 @@ export default class Component {
 
             this.processRerender(html, backendResponse);
 
+            // Store updated csrf token
+            if (this.element.dataset.liveCsrfValue) {
+                this.backend.updateCsrfToken(this.element.dataset.liveCsrfValue);
+            }
+
             // finally resolve this promise
             this.backendRequest = null;
             thisPromiseResolve(backendResponse);
diff --git a/src/LiveComponent/assets/test/controller/render.test.ts b/src/LiveComponent/assets/test/controller/render.test.ts
@@ -630,4 +630,23 @@ describe('LiveController rendering Tests', () => {
         // verify the selectedIndex of the select option 2 is 0
         expect(selectOption2.selectedIndex).toBe(0);
     });
+
+    it('backend will have a new csrf token', async () => {
+        const test = await createTest(
+            {},
+            (data: any) => `
+            <div ${initComponent(data)} data-live-csrf-value="${data.csrf}">
+            </div>
+        `
+        );
+
+        test.expectsAjaxCall().serverWillChangeProps((data: any) => {
+            // change csrf token
+            data.csrf = 'Hello';
+        });
+
+        await test.component.render();
+
+        expect(test.mockedBackend.csrfToken).toEqual('Hello');
+    });
 });
diff --git a/src/LiveComponent/assets/test/tools.ts b/src/LiveComponent/assets/test/tools.ts
@@ -98,6 +98,8 @@ class FunctionalTest {
 class MockedBackend implements BackendInterface {
     private expectedMockedAjaxCalls: Array<MockedAjaxCall> = [];
 
+    public csrfToken: string | null = null;
+
     addMockedAjaxCall(mock: MockedAjaxCall) {
         this.expectedMockedAjaxCalls.push(mock);
     }
@@ -139,6 +141,10 @@ class MockedBackend implements BackendInterface {
         return matchedMock.createBackendRequest();
     }
 
+    updateCsrfToken(csrfToken: string) {
+        this.csrfToken = csrfToken;
+    }
+
     getExpectedMockedAjaxCalls(): Array<MockedAjaxCall> {
         return this.expectedMockedAjaxCalls;
     }

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ export interface BackendInterface {`
`13`	`13`	`}, files: {`
`14`	`14`	`[key: string]: FileList;`
`15`	`15`	`}): BackendRequest;`
	`16`	`+ updateCsrfToken(csrfToken: string): void;`
`16`	`17`	`}`
`17`	`18`	`export interface BackendAction {`
`18`	`19`	`name: string;`
`@@ -28,4 +29,5 @@ export default class implements BackendInterface {`
`28`	`29`	`}, files: {`
`29`	`30`	`[key: string]: FileList;`
`30`	`31`	`}): BackendRequest;`
	`32`	`+ updateCsrfToken(csrfToken: string): void;`
`31`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2052,6 +2052,9 @@ class Component {`
`2052`	`2052`	`return response;`
`2053`	`2053`	`}`
`2054`	`2054`	`this.processRerender(html, backendResponse);`
	`2055`	`+ if (this.element.dataset.liveCsrfValue) {`
	`2056`	`+ this.backend.updateCsrfToken(this.element.dataset.liveCsrfValue);`
	`2057`	`+ }`
`2055`	`2058`	`this.backendRequest = null;`
`2056`	`2059`	`thisPromiseResolve(backendResponse);`
`2057`	`2060`	`if (this.isRequestPending) {`
`@@ -2325,6 +2328,9 @@ class RequestBuilder {`
`2325`	`2328`	`const urlEncodedJsonData = new URLSearchParams(propsJson + updatedJson + childrenJson + propsFromParentJson).toString();`
`2326`	`2329`	`return (urlEncodedJsonData + params.toString()).length < 1500;`
`2327`	`2330`	`}`
	`2331`	`+ updateCsrfToken(csrfToken) {`
	`2332`	`+ this.csrfToken = csrfToken;`
	`2333`	`+ }`
`2328`	`2334`	`}`
`2329`	`2335`
`2330`	`2336`	`class Backend {`
`@@ -2335,6 +2341,9 @@ class Backend {`
`2335`	`2341`	`const { url, fetchOptions } = this.requestBuilder.buildRequest(props, actions, updated, children, updatedPropsFromParent, files);`
`2336`	`2342`	`return new BackendRequest(fetch(url, fetchOptions), actions.map((backendAction) => backendAction.name), Object.keys(updated));`
`2337`	`2343`	`}`
	`2344`	`+ updateCsrfToken(csrfToken) {`
	`2345`	`+ this.requestBuilder.updateCsrfToken(csrfToken);`
	`2346`	`+ }`
`2338`	`2347`	`}`
`2339`	`2348`
`2340`	`2349`	`class StimulusElementDriver {`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ export interface BackendInterface {`
`15`	`15`	`updatedPropsFromParent: { [key: string]: any },`
`16`	`16`	`files: { [key: string]: FileList }`
`17`	`17`	`): BackendRequest;`
	`18`	`+ updateCsrfToken(csrfToken: string): void;`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`export interface BackendAction {`
`@@ -52,4 +53,8 @@ export default class implements BackendInterface {`
`52`	`53`	`Object.keys(updated)`
`53`	`54`	`);`
`54`	`55`	`}`
	`56`	`+`
	`57`	`+ updateCsrfToken(csrfToken: string) {`
	`58`	`+ this.requestBuilder.updateCsrfToken(csrfToken);`
	`59`	`+ }`
`55`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,8 @@ class FunctionalTest {`
`98`	`98`	`class MockedBackend implements BackendInterface {`
`99`	`99`	`private expectedMockedAjaxCalls: Array<MockedAjaxCall> = [];`
`100`	`100`
	`101`	`+ public csrfToken: string \| null = null;`
	`102`	`+`
`101`	`103`	`addMockedAjaxCall(mock: MockedAjaxCall) {`
`102`	`104`	`this.expectedMockedAjaxCalls.push(mock);`
`103`	`105`	`}`
`@@ -139,6 +141,10 @@ class MockedBackend implements BackendInterface {`
`139`	`141`	`return matchedMock.createBackendRequest();`
`140`	`142`	`}`
`141`	`143`
	`144`	`+ updateCsrfToken(csrfToken: string) {`
	`145`	`+ this.csrfToken = csrfToken;`
	`146`	`+ }`
	`147`	`+`
`142`	`148`	`getExpectedMockedAjaxCalls(): Array<MockedAjaxCall> {`
`143`	`149`	`return this.expectedMockedAjaxCalls;`
`144`	`150`	`}`