From 9648ebd71892daa996916f7f8492cc5a61d76ff8 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Thu, 25 Apr 2024 15:11:38 +0200
Subject: [PATCH 01/11] naive implementation of the csrf double submit pattern

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../models/auth/web/AuthCookieFilter.java     |  6 +-
 .../auth/web/csrf/CsrfTokenCheckFilter.java   | 48 +++++++++++
 .../auth/web/csrf/CsrfTokenSetFilter.java     | 52 +++++++++++
 .../resources/admin/AdminServlet.java         |  8 +-
 .../resources/admin/rest/UIProcessor.java     |  4 +-
 .../resources/admin/ui/AdminUIResource.java   | 15 ++--
 .../admin/ui/AuthOverviewUIResource.java      |  7 +-
 .../admin/ui/ConceptsUIResource.java          |  7 +-
 .../admin/ui/DatasetsUIResource.java          | 19 ++--
 .../resources/admin/ui/GroupUIResource.java   | 19 ++--
 .../admin/ui/IndexServiceUIResource.java      | 18 ++--
 .../resources/admin/ui/RoleUIResource.java    | 10 ++-
 .../resources/admin/ui/TablesUIResource.java  |  9 +-
 .../resources/admin/ui/UserUIResource.java    | 10 ++-
 .../admin/ui/model/ConnectorUIResource.java   |  7 +-
 .../resources/admin/ui/model/UIContext.java   |  3 +
 .../main/resources/assets/custom/js/script.js | 86 ++++++++++++++++++-
 .../resources/admin/ui/dataset.html.ftl       |  2 -
 .../resources/admin/ui/datasets.html.ftl      | 43 +---------
 .../resources/admin/ui/scripts/dataset.js     | 45 ----------
 .../admin/ui/templates/base.html.ftl          |  9 +-
 21 files changed, 296 insertions(+), 131 deletions(-)
 create mode 100644 backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
 create mode 100644 backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
 delete mode 100644 backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/scripts/dataset.js

diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
index a6ab815dbf..015ec9634a 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
@@ -1,5 +1,7 @@
 package com.bakdata.conquery.models.auth.web;
 
+import static com.bakdata.conquery.models.auth.web.AuthCookieFilter.PRIORITY;
+
 import java.io.IOException;
 
 import com.bakdata.conquery.models.config.ConqueryConfig;
@@ -31,10 +33,12 @@
 @Slf4j
 @PreMatching
 // Chain this filter before the Authentication filter
-@Priority(Priorities.AUTHENTICATION-100)
+@Priority(PRIORITY)
 @RequiredArgsConstructor(onConstructor_ = {@Inject})
 public class AuthCookieFilter implements ContainerRequestFilter, ContainerResponseFilter {
 
+	public static final int PRIORITY = Priorities.AUTHENTICATION - 100;
+
 	public static final String ACCESS_TOKEN = "access_token";
 	private static final String PREFIX = "bearer";
 
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
new file mode 100644
index 0000000000..e66f05322d
--- /dev/null
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
@@ -0,0 +1,48 @@
+package com.bakdata.conquery.models.auth.web.csrf;
+
+import java.io.IOException;
+import java.util.Optional;
+
+import com.bakdata.conquery.models.auth.web.AuthCookieFilter;
+import jakarta.annotation.Priority;
+import jakarta.ws.rs.ForbiddenException;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.container.ContainerRequestFilter;
+import jakarta.ws.rs.core.Cookie;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+
+/**
+ * Implementation of the Double-Submit-Cookie Pattern.
+ * Checks if tokens in cookie and header match if a cookie is present.
+ * Otherwise the request is refused.
+ */
+@Priority(AuthCookieFilter.PRIORITY - 100)
+@Slf4j
+public class CsrfTokenCheckFilter implements ContainerRequestFilter {
+	public static final String CSRF_TOKEN_HEADER = "X-Csrf-Token";
+
+	@Override
+	public void filter(ContainerRequestContext requestContext) throws IOException {
+		final String cookieToken = Optional.ofNullable(requestContext.getCookies().get(CsrfTokenSetFilter.CSRF_COOKIE_NAME)).map(Cookie::getValue).orElse(null);
+		final String headerToken = requestContext.getHeaders().getFirst(CSRF_TOKEN_HEADER);
+
+		if (cookieToken == null) {
+			log.trace("Request had no csrf token set. Accepting request");
+			return;
+		}
+
+		if (StringUtils.isBlank(headerToken)) {
+			log.warn("Request contained csrf cookie but the header token was empty");
+			throw new ForbiddenException("CSRF Attempt");
+		}
+
+		if (!cookieToken.equals(headerToken)) {
+			log.warn("Request csrf cookie and header did not match");
+			throw new ForbiddenException("CSRF Attempt");
+		}
+
+		log.trace("Csrf check successful");
+
+	}
+}
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
new file mode 100644
index 0000000000..a0e7f47047
--- /dev/null
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
@@ -0,0 +1,52 @@
+package com.bakdata.conquery.models.auth.web.csrf;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.util.Random;
+
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.container.ContainerRequestFilter;
+import jakarta.ws.rs.container.ContainerResponseContext;
+import jakarta.ws.rs.container.ContainerResponseFilter;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.NewCookie;
+import org.apache.commons.lang3.RandomStringUtils;
+
+/**
+ * Implementation of the Double-Submit-Cookie Pattern.
+ * This filter generates a random token which is injected in to the response.
+ * <ul>
+ *     <li>In a Set-Cookie header, so that browser requests send the token via cookie back to us</li>
+ *     <li>In the response payload. This filter sets a request property, which is eventually provided to freemarker.
+ *     Freemarker then writes the token into payload (see base.html.ftl)</li>
+ * </ul>
+ */
+public class CsrfTokenSetFilter implements ContainerRequestFilter, ContainerResponseFilter {
+
+	public static final String CSRF_COOKIE_NAME = "csrf_token";
+	public static final String CSRF_TOKEN_PROPERTY = "csrf_token";
+	public static final int TOKEN_LENGTH = 30;
+
+	Random random = new SecureRandom();
+
+	@Override
+	public void filter(ContainerRequestContext requestContext) throws IOException {
+		final String token = RandomStringUtils.random(TOKEN_LENGTH, 0, 0, true, true,
+													  null, random
+		);
+		requestContext.setProperty(CSRF_TOKEN_PROPERTY, token);
+	}
+
+	@Override
+	public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
+		final String csrfToken = getCsrfTokenProperty(requestContext);
+
+		responseContext.getHeaders()
+					   .add(HttpHeaders.SET_COOKIE, new NewCookie(CSRF_COOKIE_NAME, csrfToken, "/", null, 0, null, 3600, null, requestContext.getSecurityContext()
+																																			 .isSecure(), false));
+	}
+
+	public static String getCsrfTokenProperty(ContainerRequestContext requestContext) {
+		return (String) requestContext.getProperty(CSRF_TOKEN_PROPERTY);
+	}
+}
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/AdminServlet.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/AdminServlet.java
index 8696ba7edd..28e8ecf939 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/AdminServlet.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/AdminServlet.java
@@ -13,6 +13,8 @@
 import com.bakdata.conquery.io.jersey.RESTServer;
 import com.bakdata.conquery.io.storage.MetaStorage;
 import com.bakdata.conquery.models.auth.web.AuthCookieFilter;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenCheckFilter;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.models.config.ConqueryConfig;
 import com.bakdata.conquery.models.jobs.JobManager;
 import com.bakdata.conquery.models.worker.DatasetRegistry;
@@ -120,7 +122,8 @@ protected void configure() {
 					.register(IdRefPathParamConverterProvider.class)
 					.register(new MultiPartFeature())
 					.register(IdParamConverter.Provider.INSTANCE)
-					.register(AuthCookieFilter.class);
+					.register(AuthCookieFilter.class)
+					.register(CsrfTokenCheckFilter.class);
 
 
 		jerseyConfigUI.register(new ViewMessageBodyWriter(manager.getEnvironment().metrics(), Collections.singleton(Freemarker.HTML_RENDERER)))
@@ -136,7 +139,8 @@ protected void configure() {
 					  })
 					  .register(AdminPermissionFilter.class)
 					  .register(IdRefPathParamConverterProvider.class)
-					  .register(AuthCookieFilter.class);
+					  .register(AuthCookieFilter.class)
+					  .register(CsrfTokenSetFilter.class);
 
 	}
 
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/rest/UIProcessor.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/rest/UIProcessor.java
index 78b0448a2e..17c89ccdbf 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/rest/UIProcessor.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/rest/UIProcessor.java
@@ -68,8 +68,8 @@ public MetaStorage getStorage() {
 		return adminProcessor.getStorage();
 	}
 
-	public UIContext getUIContext() {
-		return new UIContext(adminProcessor.getNodeProvider());
+	public UIContext getUIContext(String csrfToken) {
+		return new UIContext(adminProcessor.getNodeProvider(), csrfToken);
 	}
 
 	public Set<IndexKey<?>> getLoadedIndexes() {
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AdminUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AdminUIResource.java
index c4fefb8b73..c503612d9c 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AdminUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AdminUIResource.java
@@ -4,6 +4,7 @@
 import java.util.Objects;
 
 import com.bakdata.conquery.models.auth.entities.Subject;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.models.config.auth.AuthenticationConfig;
 import com.bakdata.conquery.resources.ResourceConstants;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
@@ -27,34 +28,36 @@
 public class AdminUIResource {
 
 	private final UIProcessor uiProcessor;
-
+	@Context
+	private ContainerRequestContext requestContext;
 	@GET
 	public View getIndex() {
-		return new UIView<>("index.html.ftl", uiProcessor.getUIContext());
+		return new UIView<>("index.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)));
 	}
 
 	@GET
 	@Path("script")
 	public View getScript() {
-		return new UIView<>("script.html.ftl", uiProcessor.getUIContext());
+		return new UIView<>("script.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)));
 	}
 
 	@GET
 	@Path("jobs")
 	public View getJobs() {
-		return new UIView<>("jobs.html.ftl", uiProcessor.getUIContext(), uiProcessor.getAdminProcessor().getJobs());
+		return new UIView<>("jobs.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), uiProcessor.getAdminProcessor()
+																																		   .getJobs());
 	}
 
 	@GET
 	@Path("queries")
 	public View getQueries() {
-		return new UIView<>("queries.html.ftl", uiProcessor.getUIContext());
+		return new UIView<>("queries.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)));
 	}
 
 
 	@GET
 	@Path("logout")
-	public Response logout(@Context ContainerRequestContext requestContext, @Auth Subject user) {
+	public Response logout(@Auth Subject user) {
 		// Invalidate all cookies. At the moment the adminEnd uses cookies only for authentication, so this does not interfere with other things
 		final NewCookie[] expiredCookies = requestContext.getCookies().keySet().stream().map(AuthenticationConfig::expireCookie).toArray(NewCookie[]::new);
 		final URI logout = user.getAuthenticationInfo().getFrontChannelLogout();
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AuthOverviewUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AuthOverviewUIResource.java
index f9ab29d6a5..969ec5d2c6 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AuthOverviewUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/AuthOverviewUIResource.java
@@ -1,5 +1,6 @@
 package com.bakdata.conquery.resources.admin.ui;
 
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.resources.ResourceConstants;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
 import com.bakdata.conquery.resources.admin.ui.model.UIView;
@@ -8,6 +9,8 @@
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import lombok.RequiredArgsConstructor;
 
@@ -19,8 +22,8 @@ public class AuthOverviewUIResource {
 	protected final UIProcessor uiProcessor;
 
 	@GET
-	public View getOverview() {
-		return new UIView<>("authOverview.html.ftl", uiProcessor.getUIContext(), uiProcessor.getAuthOverview());
+	public View getOverview(@Context ContainerRequestContext request) {
+		return new UIView<>("authOverview.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(request)), uiProcessor.getAuthOverview());
 	}
 
 }
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/ConceptsUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/ConceptsUIResource.java
index fd7029ba17..ef1f88cecb 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/ConceptsUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/ConceptsUIResource.java
@@ -4,6 +4,7 @@
 import static com.bakdata.conquery.resources.ResourceConstants.DATASET;
 
 import com.bakdata.conquery.io.jersey.ExtraMimeTypes;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.models.datasets.Dataset;
 import com.bakdata.conquery.models.datasets.concepts.Concept;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
@@ -15,6 +16,8 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
@@ -35,12 +38,14 @@ public class ConceptsUIResource {
 	protected Concept<?> concept;
 	@PathParam(DATASET)
 	protected Dataset dataset;
+	@Context
+	ContainerRequestContext request;
 
 	@GET
 	public View getConceptView() {
 		return new UIView<>(
 				"concept.html.ftl",
-				uiProcessor.getUIContext(),
+				uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(request)),
 				concept
 		);
 	}
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/DatasetsUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/DatasetsUIResource.java
index fef955311a..0e855e5786 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/DatasetsUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/DatasetsUIResource.java
@@ -6,6 +6,7 @@
 import java.util.Collection;
 import java.util.stream.Collectors;
 
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.models.datasets.Dataset;
 import com.bakdata.conquery.models.datasets.Import;
 import com.bakdata.conquery.models.datasets.SecondaryIdDescription;
@@ -16,6 +17,7 @@
 import com.bakdata.conquery.models.index.search.SearchIndex;
 import com.bakdata.conquery.models.worker.Namespace;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
+import com.bakdata.conquery.resources.admin.ui.model.UIContext;
 import com.bakdata.conquery.resources.admin.ui.model.UIView;
 import io.dropwizard.views.common.View;
 import jakarta.inject.Inject;
@@ -23,6 +25,8 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import lombok.AllArgsConstructor;
 import lombok.Data;
@@ -45,13 +49,16 @@ public class DatasetsUIResource {
 
 	private final UIProcessor uiProcessor;
 
+	@Context
+	private ContainerRequestContext requestContext;
+
 
 	@GET
 	@Produces(MediaType.TEXT_HTML)
 	public View listDatasetsUI() {
 		return new UIView<>(
 				"datasets.html.ftl",
-				uiProcessor.getUIContext(),
+				uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)),
 				uiProcessor.getDatasetRegistry().getAllDatasets()
 		);
 	}
@@ -63,7 +70,7 @@ public View getDataset(@PathParam(DATASET) Dataset dataset) {
 		final Namespace namespace = uiProcessor.getDatasetRegistry().get(dataset.getId());
 		return new UIView<>(
 				"dataset.html.ftl",
-				uiProcessor.getUIContext(),
+				uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)),
 				new DatasetInfos(
 						namespace.getDataset(),
 						namespace.getStorage().getSecondaryIds(),
@@ -102,11 +109,13 @@ public View getDataset(@PathParam(DATASET) Dataset dataset) {
 	@Path("{" + DATASET + "}/mapping")
 	public View getIdMapping(@PathParam(DATASET) Dataset dataset) {
 		final Namespace namespace = uiProcessor.getDatasetRegistry().get(dataset.getId());
-		EntityIdMap mapping = namespace.getStorage().getIdMapping();
+		final EntityIdMap mapping = namespace.getStorage().getIdMapping();
+		final UIContext uiContext = uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext));
+
 		if (mapping != null && mapping.getInternalToPrint() != null) {
-			return new UIView<>("idmapping.html.ftl", uiProcessor.getUIContext(), mapping.getInternalToPrint());
+			return new UIView<>("idmapping.html.ftl", uiContext, mapping.getInternalToPrint());
 		}
-		return new UIView<>("add_idmapping.html.ftl", uiProcessor.getUIContext(), namespace.getDataset().getId());
+		return new UIView<>("add_idmapping.html.ftl", uiContext, namespace.getDataset().getId());
 	}
 
 	@Data
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/GroupUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/GroupUIResource.java
index 7b4eb1e68d..c138afb3b6 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/GroupUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/GroupUIResource.java
@@ -1,20 +1,22 @@
 package com.bakdata.conquery.resources.admin.ui;
 
+import static com.bakdata.conquery.resources.ResourceConstants.GROUPS_PATH_ELEMENT;
+import static com.bakdata.conquery.resources.ResourceConstants.GROUP_ID;
+
 import com.bakdata.conquery.models.auth.entities.Group;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
 import com.bakdata.conquery.resources.admin.ui.model.UIView;
 import io.dropwizard.views.common.View;
-import lombok.RequiredArgsConstructor;
-
 import jakarta.inject.Inject;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
-
-import static com.bakdata.conquery.resources.ResourceConstants.GROUPS_PATH_ELEMENT;
-import static com.bakdata.conquery.resources.ResourceConstants.GROUP_ID;
+import lombok.RequiredArgsConstructor;
 
 @Produces(MediaType.TEXT_HTML)
 @Path(GROUPS_PATH_ELEMENT)
@@ -22,10 +24,13 @@
 public class GroupUIResource {
 
 	protected final UIProcessor uiProcessor;
+	@Context
+	private ContainerRequestContext requestContext;
 
 	@GET
 	public View getGroups() {
-		return new UIView<>("groups.html.ftl", uiProcessor.getUIContext(), uiProcessor.getAdminProcessor().getAllGroups());
+		return new UIView<>("groups.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), uiProcessor.getAdminProcessor()
+																																			 .getAllGroups());
 	}
 
 	/**
@@ -37,6 +42,6 @@ public View getGroups() {
 	@Path("{" + GROUP_ID + "}")
 	@GET
 	public View getGroup(@PathParam(GROUP_ID) Group group) {
-		return new UIView<>("group.html.ftl", uiProcessor.getUIContext(), uiProcessor.getGroupContent(group));
+		return new UIView<>("group.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), uiProcessor.getGroupContent(group));
 	}
 }
\ No newline at end of file
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/IndexServiceUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/IndexServiceUIResource.java
index 557b8e1dec..dd1ee509fd 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/IndexServiceUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/IndexServiceUIResource.java
@@ -4,17 +4,19 @@
 
 import java.util.Set;
 
-import jakarta.inject.Inject;
-import jakarta.ws.rs.GET;
-import jakarta.ws.rs.Path;
-import jakarta.ws.rs.Produces;
-import jakarta.ws.rs.core.MediaType;
-
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.models.index.IndexKey;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
 import com.bakdata.conquery.resources.admin.ui.model.UIView;
 import com.google.common.cache.CacheStats;
 import io.dropwizard.views.common.View;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
 
@@ -24,12 +26,14 @@
 public class IndexServiceUIResource {
 
 	private final UIProcessor uiProcessor;
+	@Context
+	private ContainerRequestContext requestContext;
 
 	@GET
 	@Path(INDEX_SERVICE_PATH_ELEMENT)
 	public View getIndexService() {
 		final IndexServiceUIContent content = new IndexServiceUIContent(uiProcessor.getIndexServiceStatistics(), uiProcessor.getLoadedIndexes());
-		return new UIView<>("indexService.html.ftl", uiProcessor.getUIContext(), content);
+		return new UIView<>("indexService.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), content);
 	}
 
 	/**
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/RoleUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/RoleUIResource.java
index ff7ebfc8e4..dce61a5219 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/RoleUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/RoleUIResource.java
@@ -4,6 +4,7 @@
 import static com.bakdata.conquery.resources.ResourceConstants.ROLE_ID;
 
 import com.bakdata.conquery.models.auth.entities.Role;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
 import com.bakdata.conquery.resources.admin.ui.model.UIView;
 import io.dropwizard.views.common.View;
@@ -12,6 +13,8 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import lombok.RequiredArgsConstructor;
 
@@ -21,10 +24,13 @@
 public class RoleUIResource {
 
 	protected final UIProcessor uiProcessor;
+	@Context
+	private ContainerRequestContext requestContext;
 
 	@GET
 	public View getRoles() {
-		return new UIView<>("roles.html.ftl", uiProcessor.getUIContext(), uiProcessor.getAdminProcessor().getAllRoles());
+		return new UIView<>("roles.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), uiProcessor.getAdminProcessor()
+																																			.getAllRoles());
 	}
 
 	/**
@@ -37,6 +43,6 @@ public View getRoles() {
 	@Path("{" + ROLE_ID + "}")
 	@GET
 	public View getRole(@PathParam(ROLE_ID) Role role) {
-		return new UIView<>("role.html.ftl", uiProcessor.getUIContext(), uiProcessor.getRoleContent(role));
+		return new UIView<>("role.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), uiProcessor.getRoleContent(role));
 	}
 }
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/TablesUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/TablesUIResource.java
index 1aa4fbe0d8..2ede9a049c 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/TablesUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/TablesUIResource.java
@@ -2,6 +2,7 @@
 
 import static com.bakdata.conquery.resources.ResourceConstants.*;
 
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.models.datasets.Dataset;
 import com.bakdata.conquery.models.datasets.Import;
 import com.bakdata.conquery.models.datasets.Table;
@@ -13,6 +14,8 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
@@ -33,13 +36,15 @@ public class TablesUIResource {
 	private Dataset dataset;
 	@PathParam(TABLE)
 	private Table table;
+	@Context
+	private ContainerRequestContext requestContext;
 
 
 	@GET
 	public View getTableView() {
 		return new UIView<>(
 				"table.html.ftl",
-				uiProcessor.getUIContext(),
+				uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)),
 				uiProcessor.getTableStatistics(table)
 		);
 	}
@@ -50,7 +55,7 @@ public View getImportView(@PathParam(IMPORT_ID) Import imp) {
 
 		return new UIView<>(
 				"import.html.ftl",
-				uiProcessor.getUIContext(),
+				uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)),
 				uiProcessor.getImportStatistics(imp)
 		);
 	}
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/UserUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/UserUIResource.java
index 892528a8d1..e8833a6b74 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/UserUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/UserUIResource.java
@@ -4,6 +4,7 @@
 import static com.bakdata.conquery.resources.ResourceConstants.USER_ID;
 
 import com.bakdata.conquery.models.auth.entities.User;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
 import com.bakdata.conquery.resources.admin.ui.model.UIView;
 import io.dropwizard.views.common.View;
@@ -12,6 +13,8 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import lombok.RequiredArgsConstructor;
 
@@ -21,10 +24,13 @@
 public class UserUIResource {
 
 	protected final UIProcessor uiProcessor;
+	@Context
+	private ContainerRequestContext requestContext;
 
 	@GET
 	public View getUsers() {
-		return new UIView<>("users.html.ftl", uiProcessor.getUIContext(), uiProcessor.getAdminProcessor().getAllUsers());
+		return new UIView<>("users.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), uiProcessor.getAdminProcessor()
+																																			.getAllUsers());
 	}
 
 	/**
@@ -36,6 +42,6 @@ public View getUsers() {
 	@Path("{" + USER_ID + "}")
 	@GET
 	public View getUser(@PathParam(USER_ID) User user) {
-		return new UIView<>("user.html.ftl", uiProcessor.getUIContext(), uiProcessor.getUserContent(user));
+		return new UIView<>("user.html.ftl", uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)), uiProcessor.getUserContent(user));
 	}
 }
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/ConnectorUIResource.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/ConnectorUIResource.java
index 4168fa7ab2..c846a92b30 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/ConnectorUIResource.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/ConnectorUIResource.java
@@ -4,6 +4,7 @@
 import static com.bakdata.conquery.resources.ResourceConstants.DATASET;
 
 import com.bakdata.conquery.io.jersey.ExtraMimeTypes;
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenSetFilter;
 import com.bakdata.conquery.models.datasets.Dataset;
 import com.bakdata.conquery.models.datasets.concepts.Connector;
 import com.bakdata.conquery.resources.admin.rest.UIProcessor;
@@ -14,6 +15,8 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
@@ -34,12 +37,14 @@ public class ConnectorUIResource {
 	protected Connector connector;
 	@PathParam(DATASET)
 	protected Dataset dataset;
+	@Context
+	private ContainerRequestContext requestContext;
 
 	@GET
 	public View getConnectorView() {
 		return new UIView<>(
 				"connector.html.ftl",
-				uiProcessor.getUIContext(),
+				uiProcessor.getUIContext(CsrfTokenSetFilter.getCsrfTokenProperty(requestContext)),
 				connector
 		);
 	}
diff --git a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/UIContext.java b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/UIContext.java
index 83d48c9271..ef6fe0ccd7 100644
--- a/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/UIContext.java
+++ b/backend/src/main/java/com/bakdata/conquery/resources/admin/ui/model/UIContext.java
@@ -23,6 +23,9 @@ public class UIContext {
 	@Getter
 	public final TemplateModel staticUriElem = STATIC_URI_ELEMENTS;
 
+	@Getter
+	public final String csrfToken;
+
 	public Map<SocketAddress, ShardNodeInformation> getShardNodes() {
 		return shardNodeSupplier.get().stream().collect(Collectors.toMap(
 				ShardNodeInformation::getRemoteAddress,
diff --git a/backend/src/main/resources/assets/custom/js/script.js b/backend/src/main/resources/assets/custom/js/script.js
index 5e12ff0b29..b87347a72f 100644
--- a/backend/src/main/resources/assets/custom/js/script.js
+++ b/backend/src/main/resources/assets/custom/js/script.js
@@ -30,7 +30,9 @@ async function rest(url, options) {
 			method: 'get',
 			credentials: 'same-origin',
 			headers: {
-				'Content-Type': 'application/json'
+				'Content-Type': 'application/json',
+				// Csrf token is provided via global variable
+				'X-Csrf-Token': csrf_token
 			},
 			...options
 		}
@@ -38,6 +40,19 @@ async function rest(url, options) {
 	return res;
 }
 
+async function restOptionalForce(url, options) {
+	return rest(url, options).then((res) => {
+		// force button in case of 409 status
+		const customButton = createCustomButton('Force delete');
+		customButton.onclick = () => rest(toForceURL(url), options).then((res) => {
+			res.ok && location.reload();
+		});
+
+		showMessageForResponse(res, customButton);
+		return res;
+	});
+}
+
 function getToast(type, title, text, smalltext = "", customButton) {
 	if (!type) type = ToastTypes.INFO;
 
@@ -207,4 +222,71 @@ $("ul.nav-tabs > li > a").on("shown.bs.tab", function (e) {
 
 // on load of the page: switch to the currently selected tab
 var hash = window.location.hash;
-$('#myTab a[href="' + hash + '"]').tab('show');
\ No newline at end of file
+$('#myTab a[href="' + hash + '"]').tab('show');
+
+const uploadFormMapping = {
+	mapping: {
+		name: "mapping",
+		uri: "internToExtern",
+		accept: "*.mapping.json",
+	},
+	table: { name: "table_schema", uri: "tables", accept: "*.table.json" },
+	concept: {
+		name: "concept_schema",
+		uri: "concepts",
+		accept: "*.concept.json",
+	},
+	structure: {
+		name: "structure_schema",
+		uri: "structure",
+		accept: "structure.json",
+	},
+};
+
+function updateDatasetUploadForm(select) {
+	const data = uploadFormMapping[select.value];
+	const fileInput = $(select).next();
+	fileInput.value = "";
+	fileInput.attr("accept", data.accept);
+	fileInput.attr("name", data.name);
+	$(select)
+		.parent()
+		.attr(
+			"onsubmit",
+			"postFile(event, '/admin/datasets/${c.ds.id}/" + data.uri + "')"
+		);
+}
+
+function createDataset(event) {
+	event.preventDefault();
+	rest(
+		'/admin/datasets',
+		{
+			method: 'post',
+			body: JSON.stringify({
+				name: document.getElementById('entity_id').value,
+				label: document.getElementById('entity_name').value
+			})
+		}).then(function (res) {
+			if (res.ok)
+				location.reload();
+			else
+				showMessageForResponse(res);
+		});
+}
+
+
+
+function deleteDataset(event, datasetId) {
+	event.preventDefault();
+	rest(
+		`/admin/datasets/${datasetId}`,
+		{
+			method: 'delete',
+		}).then(function (res) {
+			if (res.ok)
+				location.reload();
+			else
+				showMessageForResponse(res);
+		});
+}
\ No newline at end of file
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl
index 51b1aa8e22..3010d20c54 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl
@@ -27,8 +27,6 @@
 <#macro idMapping><a href="./${c.ds.id}/mapping">Here</a></#macro>
 
 <@layout.layout>
-  <!-- Javascript -->
-  <script><#include "scripts/dataset.js" /></script>
 
   <!-- Dataset page -->
   <@breadcrumbs.breadcrumbs
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/datasets.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/datasets.html.ftl
index 353adce52b..ae11931ea6 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/datasets.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/datasets.html.ftl
@@ -3,7 +3,7 @@
 <#assign columns=["id", "label", "actions"]>
 
 <#macro deleteDatasetButton id>
-	<a data-test-id="delete-btn-${id}" href="" onclick="deleteDataset('${id}')"><i class="fas fa-trash-alt text-danger"></i></a>
+	<a data-test-id="delete-btn-${id}" href="" onclick="deleteDataset(event, '${id}')"><i class="fas fa-trash-alt text-danger"></i></a>
 </#macro>
 
 <@layout.layout>
@@ -21,7 +21,7 @@
 						<label for="entity_id">ID:</label>
 						<input id="entity_id" name="entity_id" data-test-id="entity-id" class="form-control text-monospace" style="font-family:monospace;">
 					</div>
-					<input class="btn btn-primary mt-3" data-test-id="create-dataset-btn" type="submit" onclick="createDataset()"/>
+					<input class="btn btn-primary mt-3" data-test-id="create-dataset-btn" type="submit" onclick="createDataset(event)"/>
 				</form>
 			</div>
 
@@ -32,43 +32,4 @@
 
 		</div>
 	</div>
-	<script>
-
-		function createDataset() {
-			event.preventDefault();
-			fetch(
-				'/admin/datasets',
-				{
-					method: 'post',
-					headers: {
-                        'Content-Type': 'application/json'
-                    },
-					credentials: 'same-origin',
-					body: JSON.stringify({
-							name: document.getElementById('entity_id').value,
-							label: document.getElementById('entity_name').value
-						})
-			}).then(function(res){
-				if(res.ok) 
-					location.reload();
-				else
-					showMessageForResponse(res);
-			});
-		}
-
-		function deleteDataset(datasetId) {
-			event.preventDefault();
-			fetch(
-				${r"`/admin/datasets/${datasetId}`"},
-				{
-					method: 'delete',
-					credentials: "same-origin"
-			}).then(function(res){
-				if(res.ok) 
-					location.reload();
-				else
-					showMessageForResponse(res);
-			});
-		}
-	</script>
 </@layout.layout>
\ No newline at end of file
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/scripts/dataset.js b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/scripts/dataset.js
deleted file mode 100644
index 6cbb9c846e..0000000000
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/scripts/dataset.js
+++ /dev/null
@@ -1,45 +0,0 @@
-const uploadFormMapping = {
-  mapping: {
-    name: "mapping",
-    uri: "internToExtern",
-    accept: "*.mapping.json",
-  },
-  table: { name: "table_schema", uri: "tables", accept: "*.table.json" },
-  concept: {
-    name: "concept_schema",
-    uri: "concepts",
-    accept: "*.concept.json",
-  },
-  structure: {
-    name: "structure_schema",
-    uri: "structure",
-    accept: "structure.json",
-  },
-};
-
-function updateDatasetUploadForm(select) {
-  const data = uploadFormMapping[select.value];
-  const fileInput = $(select).next();
-  fileInput.value = "";
-  fileInput.attr("accept", data.accept);
-  fileInput.attr("name", data.name);
-  $(select)
-    .parent()
-    .attr(
-      "onsubmit",
-      "postFile(event, '/admin/datasets/${c.ds.id}/" + data.uri + "')"
-    );
-}
-
-async function restOptionalForce(url, options) {
-  return rest(url, options).then((res) => {
-    // force button in case of 409 status
-    const customButton = createCustomButton('Force delete');
-    customButton.onclick = () => rest(toForceURL(url), options).then((res) => {
-      res.ok && location.reload();
-    });
-
-    showMessageForResponse(res, customButton);
-    return res;
-  });
-}
\ No newline at end of file
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/base.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/base.html.ftl
index e8e5a180b4..fc5435567b 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/base.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/base.html.ftl
@@ -1,4 +1,4 @@
-<#macro html title>
+<#macro html title >
 	<!doctype html>
 	<html lang="en">
 
@@ -16,6 +16,13 @@
 		<script src="/assets/popper-1.12.9/popper.min.js"></script>
 		<script src="/assets/bootstrap-4.3.1/js/bootstrap.min.js"></script>
 		<script src="/assets/custom/js/script.js"></script>
+
+
+		<script>
+			<#-- Global varaible for csrf used by rest-method  -->
+			var csrf_token = "${ctx.csrfToken}"
+		</script>
+
 		<title>${title}</title>
 	</head>
 	<#nested />

From cdcb67b7ac637cba02152831192286cc319e0954 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Thu, 25 Apr 2024 21:13:40 +0200
Subject: [PATCH 02/11] fixes admin ui templates

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../auth/web/csrf/CsrfTokenSetFilter.java       |  2 +-
 .../main/resources/assets/custom/js/script.js   | 17 ++++++++++-------
 .../resources/admin/ui/dataset.html.ftl         |  2 +-
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
index a0e7f47047..bd01af11f4 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
@@ -27,7 +27,7 @@ public class CsrfTokenSetFilter implements ContainerRequestFilter, ContainerResp
 	public static final String CSRF_TOKEN_PROPERTY = "csrf_token";
 	public static final int TOKEN_LENGTH = 30;
 
-	Random random = new SecureRandom();
+	private final Random random = new SecureRandom();
 
 	@Override
 	public void filter(ContainerRequestContext requestContext) throws IOException {
diff --git a/backend/src/main/resources/assets/custom/js/script.js b/backend/src/main/resources/assets/custom/js/script.js
index b87347a72f..c574f0fe4c 100644
--- a/backend/src/main/resources/assets/custom/js/script.js
+++ b/backend/src/main/resources/assets/custom/js/script.js
@@ -163,10 +163,9 @@ function postFile(event, url) {
 		let reader = new FileReader();
 		reader.onload = function () {
 			let json = reader.result;
-			fetch(url, {
-				method: 'post', credentials: 'same-origin', body: json, headers: {
-					"Content-Type": "application/json"
-				}
+			rest(url, {
+				method: 'post',
+				body: json
 			})
 				.then(function (response) {
 					if (response.ok) {
@@ -230,7 +229,11 @@ const uploadFormMapping = {
 		uri: "internToExtern",
 		accept: "*.mapping.json",
 	},
-	table: { name: "table_schema", uri: "tables", accept: "*.table.json" },
+	table: {
+		name: "table_schema",
+		uri: "tables",
+		accept: "*.table.json"
+	},
 	concept: {
 		name: "concept_schema",
 		uri: "concepts",
@@ -243,7 +246,7 @@ const uploadFormMapping = {
 	},
 };
 
-function updateDatasetUploadForm(select) {
+function updateDatasetUploadForm(select, datasetId) {
 	const data = uploadFormMapping[select.value];
 	const fileInput = $(select).next();
 	fileInput.value = "";
@@ -253,7 +256,7 @@ function updateDatasetUploadForm(select) {
 		.parent()
 		.attr(
 			"onsubmit",
-			"postFile(event, '/admin/datasets/${c.ds.id}/" + data.uri + "')"
+			`postFile(event, '/admin/datasets/${datasetId}/${data.uri}')`
 		);
 }
 
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl
index 3010d20c54..65d07c7f6d 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/dataset.html.ftl
@@ -49,7 +49,7 @@
             <select
               class="custom-select"
               data-test-id="upload-select"
-              onchange="updateDatasetUploadForm(this)"
+              onchange="updateDatasetUploadForm(this, '${c.ds.id}')"
               required
             >
               <option value="mapping" selected>Mapping JSON</option>

From 43750c94de9baa6af79dc659e3ac8febd8c16337 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Thu, 25 Apr 2024 21:14:06 +0200
Subject: [PATCH 03/11] updates gh actions

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .github/workflows/codeql-analysis.yml |  8 +++++---
 .github/workflows/test_cypress.yml    | 16 ++++++++++------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 570eb425f6..4b05fbcff8 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -44,10 +44,12 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v2
 
-    - name: set java 17
-      uses: actions/setup-java@v1
+    - name: Set up JDK
+      uses: actions/setup-java@v2
       with:
-        java-version: 17
+        distribution: 'temurin'
+        java-version: '17'
+        overwrite-settings: false
 
       # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/test_cypress.yml b/.github/workflows/test_cypress.yml
index cabccfb095..4f9bf8f7a1 100644
--- a/.github/workflows/test_cypress.yml
+++ b/.github/workflows/test_cypress.yml
@@ -17,14 +17,14 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -34,9 +34,11 @@ jobs:
           node-version: 18
 
       - name: Set up JDK
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v2
         with:
-          java-version: 17
+          distribution: 'temurin'
+          java-version: '17'
+          overwrite-settings: false
 
       - name: Build Backend
         run: ./scripts/build_backend_no_version.sh
@@ -53,14 +55,16 @@ jobs:
           start: bash ./scripts/run_e2e_all.sh
           wait-on: "http://localhost:8000"
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: cypress-screenshots
           path: cypress/screenshots
+          if-no-files-found: ignore
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: cypress-videos
           path: cypress/videos
+          if-no-files-found: ignore

From ff3c67f81c59f5370243a46a050bfe7325d2bca1 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Thu, 25 Apr 2024 21:39:12 +0200
Subject: [PATCH 04/11] change fetch to rest call everywhere

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../main/resources/assets/custom/js/script.js |  21 +-
 .../resources/admin/ui/group.html.ftl         |   7 +-
 .../resources/admin/ui/indexService.html.ftl  |   7 +-
 .../conquery/resources/admin/ui/jobs.html.ftl |   5 +-
 .../resources/admin/ui/queries.html.ftl       | 293 ++++++++----------
 .../ui/templates/authEntityOverview.html.ftl  |  13 +-
 .../admin/ui/templates/groupHandler.html.ftl  |   7 +-
 .../ui/templates/permissionCreator.html.ftl   |   4 +-
 .../ui/templates/permissionTable.html.ftl     |   4 +-
 .../admin/ui/templates/roleHandler.html.ftl   |   7 +-
 .../admin/ui/templates/template.html.ftl      |   2 +-
 11 files changed, 164 insertions(+), 206 deletions(-)

diff --git a/backend/src/main/resources/assets/custom/js/script.js b/backend/src/main/resources/assets/custom/js/script.js
index c574f0fe4c..325d59e9c6 100644
--- a/backend/src/main/resources/assets/custom/js/script.js
+++ b/backend/src/main/resources/assets/custom/js/script.js
@@ -29,12 +29,14 @@ async function rest(url, options) {
 		{
 			method: 'get',
 			credentials: 'same-origin',
+			...options,
+			// Overwrite options[headers] here, BUT merge them with our headers
 			headers: {
 				'Content-Type': 'application/json',
 				// Csrf token is provided via global variable
-				'X-Csrf-Token': csrf_token
-			},
-			...options
+				'X-Csrf-Token': csrf_token,
+				...options?.headers,
+			}
 		}
 	);
 	return res;
@@ -194,10 +196,9 @@ function postFile(event, url) {
 function postScriptHandler(event, jsonOut, responseTargetTextfield) {
 	event.preventDefault();
 	responseTargetTextfield.innerHTML = 'waiting for response';
-	fetch('/admin/script',
+	rest('/admin/script',
 		{
 			method: 'post',
-			credentials: 'same-origin',
 			body: document.getElementById('script').value,
 			headers: {
 				'Content-Type': 'text/plain',
@@ -292,4 +293,14 @@ function deleteDataset(event, datasetId) {
 			else
 				showMessageForResponse(res);
 		});
+}
+
+function shutdown(event) {
+	event.preventDefault();
+	rest(
+		'/tasks/shutdown',
+		{
+			method: 'post'
+		}
+	);
 }
\ No newline at end of file
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/group.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/group.html.ftl
index 402ffd0494..611ea50a5c 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/group.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/group.html.ftl
@@ -84,23 +84,20 @@
 	<script type="application/javascript">
 	function addMember() {
 		event.preventDefault(); 
-		fetch(
+		rest(
 			'/admin/${ctx.staticUriElem.GROUPS_PATH_ELEMENT}/${c.owner.id}/${ctx.staticUriElem.USERS_PATH_ELEMENT}/'+document.getElementById('member_id').value,
 			{
 				method: 'post',
-				credentials: 'same-origin',
-				headers: {'Content-Type': 'application/json'}
 			})
 			.then(function(){location.reload()});
 	}
 
 	function removeMember(path){
 		event.preventDefault();
-		fetch(
+		rest(
 			path,
 			{
 				method: 'delete',
-				credentials: 'same-origin',
 			})
 			.then(function(){location.reload();});
 	}
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/indexService.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/indexService.html.ftl
index b8ea51ff88..f9dc3e8654 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/indexService.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/indexService.html.ftl
@@ -30,11 +30,8 @@
 	<script type="application/javascript">
 		function resetIndexService() {
 			event.preventDefault();
-			fetch('/${ctx.staticUriElem.ADMIN_SERVLET_PATH}/${ctx.staticUriElem.INDEX_SERVICE_PATH_ELEMENT}/reset', {
-				method: 'post',
-				credentials: 'same-origin',
-				headers: {'Content-Type': 'application/json'},
-			
+			rest('/${ctx.staticUriElem.ADMIN_SERVLET_PATH}/${ctx.staticUriElem.INDEX_SERVICE_PATH_ELEMENT}/reset', {
+				method: 'post',			
 		}).then(function() {location.reload()});
 		}
 	</script>
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/jobs.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/jobs.html.ftl
index 64db072311..17981be3f3 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/jobs.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/jobs.html.ftl
@@ -7,17 +7,16 @@
 
     function cancelJob(jobId) {
       event.preventDefault(); 
-      fetch(
+      rest(
         "/admin/jobs/" + jobId + "/cancel",
         {
           method: "post",
-          credentials: "same-origin"
         }
       );
     }
 
     function getJobs() {
-      return fetch("/admin/jobs")
+      return rest("/admin/jobs")
         .then((res) => res.json())
         .then((entries) => {
           const origins = {};
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/queries.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/queries.html.ftl
index 5bac320b71..c73c81cd19 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/queries.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/queries.html.ftl
@@ -1,159 +1,130 @@
 <#import "templates/template.html.ftl" as layout>
-<@layout.layout>
+  <@layout.layout>
     <style>
-        .title {
-          font-size: 18px;
-          font-family: arial, sans-serif;
-        }
-
-        .inner {
-          font-size: 12px;
-          color: grey;
-        }
-
-        .innerBtn {
-          font-size: 12px;
-        }
-
-        .btn {
-          padding: 5px 5px;
-        }
-
-        .progress {
-          margin: 2px;
-        }
-
-        .container {
-          padding: 3px;
-        }
+    .title {
+      font-size: 18px;
+      font-family: arial, sans-serif;
+    }
+
+    .inner {
+      font-size: 12px;
+      color: grey;
+    }
+
+    .innerBtn {
+      font-size: 12px;
+    }
+
+    .btn {
+      padding: 5px 5px;
+    }
+
+    .progress {
+      margin: 2px;
+    }
+
+    .container {
+      padding: 3px;
+    }
     </style>
     <script type="text/javascript">
-        var QueryCounter = 0;
-
-        var runningQueriesTable = {};
-        var notStartedQueriesTable = {};
-        var failedQueriesTable = {};
-        var succeedQueriesTable = {};
-
-        var runningNbrElt = {};
-        var notStartedNbrElt = {};
-        var failedNbrElt = {};
-        var succeedNbrElt = {};
-        var reloader = {};
-        var languageTag = {};
-        window.onload = (event) => {
-          languageTag = navigator.language || navigator.userLanguage;
-          handleUpdateCheck(document.getElementById("updateCheckBox"));
-          runningQueriesTable = document.getElementById("runningQueriesTable");
-          notStartedQueriesTable = document.getElementById("notStartedQueriesTable");
-          failedQueriesTable = document.getElementById("failedQueriesTable");
-          succeedQueriesTable = document.getElementById("succeedQueriesTable");
-
-          runningNbrElt = document.getElementById("runningNbr");
-          notStartedNbrElt = document.getElementById("notStartedNbr");
-          failedNbrElt = document.getElementById("failedNbr");
-          succeedNbrElt = document.getElementById("succeedNbr");
-
-
-        }
-
-        function updateQueriesTable(queries) {
-
-
-          clearTables();
-          QueryCounter = 0;
-          updateQueriesInnerCounter(queries);
-          if (!queries) return;
-
-          queries.sort(compareQueriesDate);
-          for (i = 0; i < queries.length; i++) {
-            QueryCounter++;
-            if (queries[i].status === "RUNNING")
-              runningQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
-
-            if (queries[i].status === "NEW")
-              notStartedQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
-
-
-            if (queries[i].status === "FAILED")
-              failedQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
-
-
-            if (queries[i].status === "DONE")
-              succeedQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
-          }
-
-        }
-
-        function compareQueriesDate(query1, query2) {
-          let createdAt1 = new Date(query1.createdAt);
-          let createdAt2 = new Date(query2.createdAt);
-          let date1Null = createdAt1 == null || createdAt1 == undefined;
-          let date2Null = createdAt2 == null || createdAt2 == undefined;
-          if (date1Null && date2Null) return 0;
-          else if (date2Null || createdAt1 > createdAt2) return 1;
-          else if (date1Null || createdAt1 < createdAt2) return -1;
-          else return 0;
-        }
-
-        function updateQueriesInnerCounter(queries) {
-          if (!queries) return;
-          runningNbrElt.innerText = queries.filter(x => x.status === "RUNNING").length;
-          notStartedNbrElt.innerText = queries.filter(x => x.status === "NEW").length;
-          failedNbrElt.innerText = queries.filter(x => x.status === "FAILED").length;
-          succeedNbrElt.innerText = queries.filter(x => x.status === "DONE").length;
-        }
-
-        function clearTables() {
-
-          runningQueriesTable.innerHTML = "";
-          failedQueriesTable.innerHTML = "";
-          succeedQueriesTable.innerHTML = "";
-          notStartedQueriesTable.innerHTML = "";
-
-        }
-
-        function getQueries() {
-          try {
-            fetch(
-                '/admin/queries', {
-                  method: 'get',
-
-                  headers: {
-                    'Accept': 'application/json'
-                  },
-
-                  credentials: 'same-origin'
-                }).then(response => response.json()).then(queries => {
-                updateQueriesTable(queries);
-              })
-              .catch(error => {
-                console.log(error);
-              });
-
-          } catch (error) {
+    var QueryCounter = 0;
+    var runningQueriesTable = {};
+    var notStartedQueriesTable = {};
+    var failedQueriesTable = {};
+    var succeedQueriesTable = {};
+    var runningNbrElt = {};
+    var notStartedNbrElt = {};
+    var failedNbrElt = {};
+    var succeedNbrElt = {};
+    var reloader = {};
+    var languageTag = {};
+    window.onload = (event) => {
+      languageTag = navigator.language || navigator.userLanguage;
+      handleUpdateCheck(document.getElementById("updateCheckBox"));
+      runningQueriesTable = document.getElementById("runningQueriesTable");
+      notStartedQueriesTable = document.getElementById("notStartedQueriesTable");
+      failedQueriesTable = document.getElementById("failedQueriesTable");
+      succeedQueriesTable = document.getElementById("succeedQueriesTable");
+      runningNbrElt = document.getElementById("runningNbr");
+      notStartedNbrElt = document.getElementById("notStartedNbr");
+      failedNbrElt = document.getElementById("failedNbr");
+      succeedNbrElt = document.getElementById("succeedNbr");
+    }
+
+    function updateQueriesTable(queries) {
+      clearTables();
+      QueryCounter = 0;
+      updateQueriesInnerCounter(queries);
+      if (!queries) return;
+      queries.sort(compareQueriesDate);
+      for (i = 0; i < queries.length; i++) {
+        QueryCounter++;
+        if (queries[i].status === "RUNNING")
+          runningQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
+        if (queries[i].status === "NEW")
+          notStartedQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
+        if (queries[i].status === "FAILED")
+          failedQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
+        if (queries[i].status === "DONE")
+          succeedQueriesTable.insertAdjacentHTML('beforeend', getHtmltemplate(queries[i], QueryCounter));
+      }
+    }
+
+    function compareQueriesDate(query1, query2) {
+      let createdAt1 = new Date(query1.createdAt);
+      let createdAt2 = new Date(query2.createdAt);
+      let date1Null = createdAt1 == null || createdAt1 == undefined;
+      let date2Null = createdAt2 == null || createdAt2 == undefined;
+      if (date1Null && date2Null) return 0;
+      else if (date2Null || createdAt1 > createdAt2) return 1;
+      else if (date1Null || createdAt1 < createdAt2) return -1;
+      else return 0;
+    }
+
+    function updateQueriesInnerCounter(queries) {
+      if (!queries) return;
+      runningNbrElt.innerText = queries.filter(x => x.status === "RUNNING").length;
+      notStartedNbrElt.innerText = queries.filter(x => x.status === "NEW").length;
+      failedNbrElt.innerText = queries.filter(x => x.status === "FAILED").length;
+      succeedNbrElt.innerText = queries.filter(x => x.status === "DONE").length;
+    }
+
+    function clearTables() {
+      runningQueriesTable.innerHTML = "";
+      failedQueriesTable.innerHTML = "";
+      succeedQueriesTable.innerHTML = "";
+      notStartedQueriesTable.innerHTML = "";
+    }
+
+    function getQueries() {
+      try {
+        rest(
+            '/admin/queries', {
+              method: 'get',
+            }).then(response => response.json()).then(queries => {
+            updateQueriesTable(queries);
+          })
+          .catch(error => {
             console.log(error);
-            return null;
-          };
-
-        }
-
-        function handleUpdateCheck(event) {
-          if (event.checked ) {
-            reloader = setInterval(getQueries, 5000);
-           return;
-          }
-
-          clearInterval(reloader);
-          reloader = 0;
-
-
-        }
-
-        <#noparse >
-            function getHtmltemplate(data,queryCounter) {
-                return `
-
+          });
+      } catch (error) {
+        console.log(error);
+        return null;
+      };
+    }
+
+    function handleUpdateCheck(event) {
+      if (event.checked) {
+        reloader = setInterval(getQueries, 5000);
+        return;
+      }
+      clearInterval(reloader);
+      reloader = 0;
+    } <
+    #noparse >
+      function getHtmltemplate(data, queryCounter) {
+        return `
                 <div class="row container" >
                   <div class="card container">
                     <div class="card-body">
@@ -202,7 +173,8 @@
                     <div class="col">
                       <div class="collapse multi-collapse" id="query${queryCounter}">
                         <div class="card card-body">
-                          <pre> ${(data.query ? JSON.stringify(data.query, undefined, 2) : '')}  </pre>
+                          <pre>
+${(data.query ? JSON.stringify(data.query, undefined, 2) : '')}  </pre>
                         </div>
                       </div>
                     </div>
@@ -217,12 +189,10 @@
                 </div>
                 </div>
                 </div>
-
             `
-            }
-        </#noparse>
+      } <
+      /#noparse>
     </script>
-
     <h1> Queries </h1>
     <label><input id="updateCheckBox" type='checkbox' onclick='handleUpdateCheck(this);' checked> Update automatically.</label>
     <div id="accordion">
@@ -230,7 +200,7 @@
         <div class="card-header" id="headingOne">
           <h5 class="mb-0">
             <button class="btn btn-link" data-toggle="collapse" data-target="#collapseOne" aria-expanded="true" aria-controls="collapseOne">
-            Running <span class="badge badge-warning" id="runningNbr">0</span>
+              Running <span class="badge badge-warning" id="runningNbr">0</span>
             </button>
           </h5>
         </div>
@@ -244,7 +214,7 @@
         <div class="card-header" id="headingTwo">
           <h5 class="mb-0">
             <button class="btn btn-link collapsed" data-toggle="collapse" data-target="#collapseTwo" aria-expanded="false" aria-controls="collapseTwo">
-            Failed <span class="badge badge-danger" id="failedNbr">0</span>
+              Failed <span class="badge badge-danger" id="failedNbr">0</span>
             </button>
           </h5>
         </div>
@@ -258,7 +228,7 @@
         <div class="card-header" id="headingThree">
           <h5 class="mb-0">
             <button class="btn btn-link collapsed" data-toggle="collapse" data-target="#collapseThree" aria-expanded="false" aria-controls="collapseThree">
-            Succeed <span class="badge badge-success" id="succeedNbr">0</span>
+              Succeed <span class="badge badge-success" id="succeedNbr">0</span>
             </button>
           </h5>
         </div>
@@ -272,7 +242,7 @@
         <div class="card-header" id="headingFour">
           <h5 class="mb-0">
             <button class="btn btn-link collapsed" data-toggle="collapse" data-target="#collapseFour" aria-expanded="false" aria-controls="collapseFour">
-            Not started <span class="badge badge-light" id="notStartedNbr">0</span>
+              Not started <span class="badge badge-light" id="notStartedNbr">0</span>
             </button>
           </h5>
         </div>
@@ -283,5 +253,4 @@
         </div>
       </div>
     </div>
-
-</@layout.layout>
\ No newline at end of file
+  </@layout.layout>
\ No newline at end of file
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/authEntityOverview.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/authEntityOverview.html.ftl
index 371a846874..dd62fa7206 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/authEntityOverview.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/authEntityOverview.html.ftl
@@ -46,11 +46,9 @@
 	<script type="application/javascript">
         function createEntity() {
             event.preventDefault(); 
-            fetch('${adminPathBase}',
+            rest('${adminPathBase}',
             {
                 method: 'post',
-                credentials: 'same-origin',
-                headers: {'Content-Type': 'application/json'},
                 body: JSON.stringify({
                         name: document.getElementById('entity_id').value,
                         label: document.getElementById('entity_name').value
@@ -60,11 +58,9 @@
 
         function downloadEntities() {
             event.preventDefault(); 
-            fetch('${adminPathBase}',
+            rest('${adminPathBase}',
             {
                 method: 'get',
-                credentials: 'same-origin',
-                headers: {'Accept': 'application/json'}
             })
             .then(response => {return response.json()})
             .then(json => {
@@ -75,11 +71,10 @@
 
         function deleteEntity(entityId){
             event.preventDefault();
-            fetch(
+            rest(
                 '${adminPathBase}/'+entityId,
                 {
-                    method: 'delete',
-                    credentials: 'same-origin'
+                    method: 'delete'
                 })
                 .then(function(){location.reload();});
         }
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/groupHandler.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/groupHandler.html.ftl
index 17731552c4..4b89d2367a 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/groupHandler.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/groupHandler.html.ftl
@@ -40,22 +40,19 @@
 	<script type="application/javascript">
 		function addGroup() {
 			event.preventDefault();
-			fetch(
+			rest(
 				'${adminPathBase}/' + document.getElementById('group_id').value + '/${ctx.staticUriElem.USERS_PATH_ELEMENT}/${c.owner.id}',
 				{
 					method: 'post',
-					credentials: 'same-origin',
-					headers: { 'Content-Type': 'application/json' }
 				}).then(function () { location.reload() });
 		}
 
 		function removeGroup(path) {
 			event.preventDefault();
-			fetch(
+			rest(
 				path,
 				{
 					method: 'delete',
-					credentials: 'same-origin'
 				})
 				.then(function () { location.reload(); });
 		}
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionCreator.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionCreator.html.ftl
index 98df6c0f83..63e8240743 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionCreator.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionCreator.html.ftl
@@ -99,11 +99,9 @@
 		
 		permission = [domain, abilityJoin, instances].join(":")
 		console.log("Sending Permission: " + permission);
-		await fetch('/admin/permissions/${ownerId}',
+		await rest('/admin/permissions/${ownerId}',
 			{
 				method: 'post',
-				credentials: 'same-origin',
-				headers: {'Content-Type': 'application/json'},
 				body: permission
 			});
 		location.reload();
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionTable.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionTable.html.ftl
index d5a2d40515..399869688d 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionTable.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/permissionTable.html.ftl
@@ -52,12 +52,10 @@
     <script type="application/javascript">
     function handleDeletePermission(permission){
         event.preventDefault();
-        fetch(
+        rest(
             '/admin/permissions/${ownerId}',
             {
                 method: 'delete',
-                credentials: 'same-origin',
-                headers: {'Content-Type': 'application/json'},
                 body: permission
             })
             .then(function(){location.reload()});
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/roleHandler.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/roleHandler.html.ftl
index d993ee7301..c6d1e27c42 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/roleHandler.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/roleHandler.html.ftl
@@ -40,22 +40,19 @@
 	<script type="application/javascript">
 		function addRole() {
 			event.preventDefault();
-			fetch(
+			rest(
 				'${adminPathBase}/${c.owner.id}/${ctx.staticUriElem.ROLES_PATH_ELEMENT}/' + document.getElementById('role_id').value,
 				{
 					method: 'post',
-					credentials: 'same-origin',
-					headers: { 'Content-Type': 'application/json' }
 				}).then(function () { location.reload() });
 		}
 
 		function removeRole(path) {
 			event.preventDefault();
-			fetch(
+			rest(
 				path,
 				{
 					method: 'delete',
-					credentials: 'same-origin'
 				})
 				.then(function () { location.reload(); });
 		}
diff --git a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/template.html.ftl b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/template.html.ftl
index c0fd512493..daebaf5424 100644
--- a/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/template.html.ftl
+++ b/backend/src/main/resources/com/bakdata/conquery/resources/admin/ui/templates/template.html.ftl
@@ -47,7 +47,7 @@
 							  <a class="dropdown-item" href="/threads">Threads</a>
 							  <a class="dropdown-item" href="/healthcheck?pretty=true">Health</a>
 							  <a class="dropdown-item" href=""
-								  onclick="event.preventDefault(); fetch('/tasks/shutdown', {method: 'post'});"><i
+								  onclick="shutdown(event)"><i
 									  class="fas fa-power-off text-danger"></i> Shutdown</a>
 						  </div>
 					  </li>

From ee7ae75ea0e315a4dbcb160183b6429bb15ebb66 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Thu, 25 Apr 2024 21:42:08 +0200
Subject: [PATCH 05/11] more github action updates

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .github/workflows/codeql-analysis.yml | 2 +-
 .github/workflows/test_cypress.yml    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4b05fbcff8..7d8fe7ddd0 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v2
 
     - name: Set up JDK
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
         java-version: '17'
diff --git a/.github/workflows/test_cypress.yml b/.github/workflows/test_cypress.yml
index 4f9bf8f7a1..8990da08ab 100644
--- a/.github/workflows/test_cypress.yml
+++ b/.github/workflows/test_cypress.yml
@@ -29,12 +29,12 @@ jobs:
           submodules: true
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 18
 
       - name: Set up JDK
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: '17'

From 7d506c6776ba7a83dbedd6b40c1bcdba80be76dc Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Mon, 29 Apr 2024 13:29:56 +0200
Subject: [PATCH 06/11] adds signing of csrf cookie

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../auth/web/csrf/CsrfTokenCheckFilter.java   | 12 ++++---
 .../auth/web/csrf/CsrfTokenSetFilter.java     | 33 ++++++++++++++++++-
 2 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
index e66f05322d..d67bfb0291 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
@@ -15,7 +15,7 @@
 /**
  * Implementation of the Double-Submit-Cookie Pattern.
  * Checks if tokens in cookie and header match if a cookie is present.
- * Otherwise the request is refused.
+ * Otherwise, the request is refused.
  */
 @Priority(AuthCookieFilter.PRIORITY - 100)
 @Slf4j
@@ -24,10 +24,12 @@ public class CsrfTokenCheckFilter implements ContainerRequestFilter {
 
 	@Override
 	public void filter(ContainerRequestContext requestContext) throws IOException {
-		final String cookieToken = Optional.ofNullable(requestContext.getCookies().get(CsrfTokenSetFilter.CSRF_COOKIE_NAME)).map(Cookie::getValue).orElse(null);
+		final String
+				cookieTokenHash =
+				Optional.ofNullable(requestContext.getCookies().get(CsrfTokenSetFilter.CSRF_COOKIE_NAME)).map(Cookie::getValue).orElse(null);
 		final String headerToken = requestContext.getHeaders().getFirst(CSRF_TOKEN_HEADER);
 
-		if (cookieToken == null) {
+		if (cookieTokenHash == null) {
 			log.trace("Request had no csrf token set. Accepting request");
 			return;
 		}
@@ -37,12 +39,12 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 			throw new ForbiddenException("CSRF Attempt");
 		}
 
-		if (!cookieToken.equals(headerToken)) {
+		if (!CsrfTokenSetFilter.checkHash(headerToken, cookieTokenHash)) {
 			log.warn("Request csrf cookie and header did not match");
+			log.trace("header-token={} cookie-token-hash={}", headerToken, cookieTokenHash);
 			throw new ForbiddenException("CSRF Attempt");
 		}
 
 		log.trace("Csrf check successful");
-
 	}
 }
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
index bd01af11f4..5e4b608bd3 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
@@ -2,14 +2,20 @@
 
 import java.io.IOException;
 import java.security.SecureRandom;
+import java.util.Base64;
 import java.util.Random;
 
+import com.password4j.Hash;
+import com.password4j.PBKDF2Function;
+import com.password4j.Password;
+import com.password4j.types.Hmac;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
 import jakarta.ws.rs.container.ContainerResponseContext;
 import jakarta.ws.rs.container.ContainerResponseFilter;
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.NewCookie;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
 
 /**
@@ -21,11 +27,13 @@
  *     Freemarker then writes the token into payload (see base.html.ftl)</li>
  * </ul>
  */
+@Slf4j
 public class CsrfTokenSetFilter implements ContainerRequestFilter, ContainerResponseFilter {
 
 	public static final String CSRF_COOKIE_NAME = "csrf_token";
 	public static final String CSRF_TOKEN_PROPERTY = "csrf_token";
 	public static final int TOKEN_LENGTH = 30;
+	private final static PBKDF2Function HASH_FUNCTION = PBKDF2Function.getInstance(Hmac.SHA256, 1000, CsrfTokenSetFilter.TOKEN_LENGTH + 10);
 
 	private final Random random = new SecureRandom();
 
@@ -41,11 +49,34 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 	public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
 		final String csrfToken = getCsrfTokenProperty(requestContext);
 
+		final String csrfTokenHash = getTokenHash(csrfToken);
+
+		log.trace("Hashed token for cookie. token='{}' hash='{}'", csrfToken, csrfTokenHash);
+
 		responseContext.getHeaders()
-					   .add(HttpHeaders.SET_COOKIE, new NewCookie(CSRF_COOKIE_NAME, csrfToken, "/", null, 0, null, 3600, null, requestContext.getSecurityContext()
+					   .add(HttpHeaders.SET_COOKIE, new NewCookie(CSRF_COOKIE_NAME, csrfTokenHash, "/", null, 0, null, 3600, null, requestContext.getSecurityContext()
 																																			 .isSecure(), false));
 	}
 
+	private static String getTokenHash(String csrfToken) {
+		final Hash hash = Password.hash(csrfToken).addRandomSalt(32).with(HASH_FUNCTION);
+		final String encodedSalt = Base64.getEncoder().encodeToString(hash.getSaltBytes());
+		// Use '_' as join char, because it is not part of the standard base64 encoding (in base64url though)
+		return String.join("_", encodedSalt, hash.getResult());
+	}
+
+	public static boolean checkHash(String token, String hash) {
+		int delimIdx;
+		if ((delimIdx = hash.indexOf("_")) == -1 || delimIdx == hash.length() - 1) {
+			throw new IllegalArgumentException("The provided hash must be of this form: <salt>_<hashed_salted_token>, was: " + hash);
+		}
+		final String encodedSalt = hash.substring(0, delimIdx);
+		final String saltedHash = hash.substring(delimIdx + 1);
+
+		final byte[] salt = Base64.getDecoder().decode(encodedSalt);
+		return Password.check(token, saltedHash).addSalt(salt).with(HASH_FUNCTION);
+	}
+
 	public static String getCsrfTokenProperty(ContainerRequestContext requestContext) {
 		return (String) requestContext.getProperty(CSRF_TOKEN_PROPERTY);
 	}

From 867554ef19a018c5bb99f767b191a62087853be0 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Mon, 29 Apr 2024 14:45:34 +0200
Subject: [PATCH 07/11] adds readme, timers, and csrf check property for the
 request

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../models/auth/web/AuthCookieFilter.java     |  7 ++++
 .../auth/web/csrf/CsrfTokenCheckFilter.java   |  4 +++
 .../auth/web/csrf/CsrfTokenSetFilter.java     | 35 ++++++++++++++++---
 .../conquery/models/auth/web/csrf/ReadMe.md   | 30 ++++++++++++++++
 4 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md

diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
index 015ec9634a..27a35cf25f 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
@@ -4,10 +4,12 @@
 
 import java.io.IOException;
 
+import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenCheckFilter;
 import com.bakdata.conquery.models.config.ConqueryConfig;
 import com.google.common.base.Strings;
 import jakarta.annotation.Priority;
 import jakarta.inject.Inject;
+import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.Priorities;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
@@ -58,6 +60,11 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 
 		String queryToken = requestContext.getUriInfo().getQueryParameters().getFirst(ACCESS_TOKEN);
 
+		final Object csrfCheckSuccess = requestContext.getProperty(CsrfTokenCheckFilter.CSRF_CHECK_SUCCESS_PROPERTY);
+		if (csrfCheckSuccess == null || !(boolean) csrfCheckSuccess) {
+			throw new ForbiddenException("Found an authentication cookie, but csrf check was not successful");
+		}
+
 		if(!cookie.getValue().isEmpty() && queryToken != null) {
 			log.trace("Ignoring cookie");
 			return;
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
index d67bfb0291..e535353b7c 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
@@ -22,6 +22,8 @@
 public class CsrfTokenCheckFilter implements ContainerRequestFilter {
 	public static final String CSRF_TOKEN_HEADER = "X-Csrf-Token";
 
+	public static final String CSRF_CHECK_SUCCESS_PROPERTY = "csrf-check";
+
 	@Override
 	public void filter(ContainerRequestContext requestContext) throws IOException {
 		final String
@@ -45,6 +47,8 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 			throw new ForbiddenException("CSRF Attempt");
 		}
 
+		requestContext.setProperty(CSRF_CHECK_SUCCESS_PROPERTY, true);
+
 		log.trace("Csrf check successful");
 	}
 }
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
index 5e4b608bd3..8916ca515e 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
@@ -17,6 +17,7 @@
 import jakarta.ws.rs.core.NewCookie;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.time.StopWatch;
 
 /**
  * Implementation of the Double-Submit-Cookie Pattern.
@@ -33,7 +34,11 @@ public class CsrfTokenSetFilter implements ContainerRequestFilter, ContainerResp
 	public static final String CSRF_COOKIE_NAME = "csrf_token";
 	public static final String CSRF_TOKEN_PROPERTY = "csrf_token";
 	public static final int TOKEN_LENGTH = 30;
-	private final static PBKDF2Function HASH_FUNCTION = PBKDF2Function.getInstance(Hmac.SHA256, 1000, CsrfTokenSetFilter.TOKEN_LENGTH + 10);
+
+	/**
+	 * This needs to be fast, because the hash is computed on every api request and it is only short-lived.
+	 */
+	private final static PBKDF2Function HASH_FUNCTION = PBKDF2Function.getInstance(Hmac.SHA256, 1000, 256);
 
 	private final Random random = new SecureRandom();
 
@@ -54,13 +59,29 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
 		log.trace("Hashed token for cookie. token='{}' hash='{}'", csrfToken, csrfTokenHash);
 
 		responseContext.getHeaders()
-					   .add(HttpHeaders.SET_COOKIE, new NewCookie(CSRF_COOKIE_NAME, csrfTokenHash, "/", null, 0, null, 3600, null, requestContext.getSecurityContext()
-																																			 .isSecure(), false));
+					   .add(HttpHeaders.SET_COOKIE, new NewCookie(
+							   CSRF_COOKIE_NAME,
+							   csrfTokenHash,
+							   "/",
+							   null,
+							   0,
+							   null,
+							   3600,
+							   null,
+							   requestContext.getSecurityContext().isSecure(),
+							   false
+					   ));
 	}
 
 	private static String getTokenHash(String csrfToken) {
+		final StopWatch stopwatch = new StopWatch("Generate csrf token");
+
+		stopwatch.start();
 		final Hash hash = Password.hash(csrfToken).addRandomSalt(32).with(HASH_FUNCTION);
+		stopwatch.stop();
 		final String encodedSalt = Base64.getEncoder().encodeToString(hash.getSaltBytes());
+
+		log.trace("Generated token in {}", stopwatch);
 		// Use '_' as join char, because it is not part of the standard base64 encoding (in base64url though)
 		return String.join("_", encodedSalt, hash.getResult());
 	}
@@ -74,7 +95,13 @@ public static boolean checkHash(String token, String hash) {
 		final String saltedHash = hash.substring(delimIdx + 1);
 
 		final byte[] salt = Base64.getDecoder().decode(encodedSalt);
-		return Password.check(token, saltedHash).addSalt(salt).with(HASH_FUNCTION);
+		final StopWatch stopwatch = new StopWatch("Check csrf token");
+		stopwatch.start();
+		final boolean decision = Password.check(token, saltedHash).addSalt(salt).with(HASH_FUNCTION);
+		stopwatch.stop();
+
+		log.trace("Checked token in {}", stopwatch);
+		return decision;
 	}
 
 	public static String getCsrfTokenProperty(ContainerRequestContext requestContext) {
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md
new file mode 100644
index 0000000000..b5d86e54c1
--- /dev/null
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md
@@ -0,0 +1,30 @@
+# CSRF-Filter
+
+This filters prevents cross-site-request-forgery attempts which are conducted by luring a browser user to a malicious
+website.
+The user's browser needs be authenticated via an authentication cookie.
+Because we have two servlets (UI + API) for the admin-end there are two different filters.
+
+The prevention method used is the
+stateless [Signed Double-Submit Cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#signed-double-submit-cookie-recommended).
+
+## [CsrfTokenSetFilter](./CsrfTokenSetFilter.java)
+
+This filter is installed on the UI-servlet. It generates a csrf-token and injects the plaintext token into the payload
+and the signed/hashed token into a cookie.
+The UI-servlet provides all html resources for the browser.
+
+## [CsrfTokenCheckFilter](./CsrfTokenCheckFilter.java)
+
+This filter is installed on the API-servlet. It extracts the double submitted token from a requests and validates them.
+If the request did not contain a csrf token cookie (e.g. request was initiated by cURL) the filter does nothing.
+If a csrf check was successful, the request is marked.
+
+This filter is not installed on the UI-servlet. Even though this servlet's responses contain sensitive data, it only
+provides GET-endpoints, which are not state altering and thus don't need csrf protection. On the API-servlet side we
+validate all requests for simplicity.
+
+## [AuthCookieFilter](../AuthCookieFilter.java)
+
+The mark set by the CsrfTokenCheckFilter is then checked by the AuthCookieFilter, when it encounters an auth-cookie.
+If an AuthCookie is provided, but no csrf check happened before, the request is rejected.
\ No newline at end of file

From 5b4c18b48310911a1bb3428b25c047f70855f567 Mon Sep 17 00:00:00 2001
From: MT <12283268+thoniTUB@users.noreply.github.com>
Date: Tue, 30 Apr 2024 07:29:44 +0200
Subject: [PATCH 08/11] Update
 backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java

Co-authored-by: awildturtok <1553491+awildturtok@users.noreply.github.com>
---
 .../conquery/models/auth/web/csrf/CsrfTokenSetFilter.java | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
index 8916ca515e..c2e8177492 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
@@ -74,14 +74,14 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
 	}
 
 	private static String getTokenHash(String csrfToken) {
-		final StopWatch stopwatch = new StopWatch("Generate csrf token");
+		final StopWatch stopwatch = log.isTraceEnabled() ? Stopwatch.createStarted() : null;
 
-		stopwatch.start();
 		final Hash hash = Password.hash(csrfToken).addRandomSalt(32).with(HASH_FUNCTION);
-		stopwatch.stop();
+		
+		log.trace("Generated token in {}", stopwatch);
+		
 		final String encodedSalt = Base64.getEncoder().encodeToString(hash.getSaltBytes());
 
-		log.trace("Generated token in {}", stopwatch);
 		// Use '_' as join char, because it is not part of the standard base64 encoding (in base64url though)
 		return String.join("_", encodedSalt, hash.getResult());
 	}

From da7d3ca3dbf85152e3f21da9ced8b2e109ab2c1f Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Tue, 30 Apr 2024 07:37:19 +0200
Subject: [PATCH 09/11] review changes

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../auth/permissions/StringPermissionBuilder.java  | 10 +++++-----
 .../models/auth/web/csrf/CsrfTokenSetFilter.java   | 14 +++++++-------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/permissions/StringPermissionBuilder.java b/backend/src/main/java/com/bakdata/conquery/models/auth/permissions/StringPermissionBuilder.java
index a906d4514d..09b53ba686 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/permissions/StringPermissionBuilder.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/permissions/StringPermissionBuilder.java
@@ -1,17 +1,17 @@
 package com.bakdata.conquery.models.auth.permissions;
 
-import com.bakdata.conquery.io.cps.CPSBase;
-import com.bakdata.conquery.resources.admin.rest.AdminProcessor;
-
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import com.bakdata.conquery.io.cps.CPSBase;
+import com.bakdata.conquery.resources.admin.rest.UIProcessor;
+
 /**
  * Base class with utility functions to build permissions.
  * Subclasses should wrap their call to the {@code instancePermission} functions with their own string representation.
- * {@link com.bakdata.conquery.io.cps.CPSType} is used by {@link AdminProcessor#preparePermissionTemplate()} to generate
+ * {@link com.bakdata.conquery.io.cps.CPSType} is used by {@link UIProcessor#preparePermissionTemplate()} to generate
  * a view ob possible Permissions for creation.
- * Therefore every builder should have a static INSTANCE-Field.
+ * Therefore, every builder should have a static INSTANCE-Field.
  */
 @CPSBase
 public abstract class StringPermissionBuilder {
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
index c2e8177492..c2d350d447 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
@@ -5,6 +5,7 @@
 import java.util.Base64;
 import java.util.Random;
 
+import com.google.common.base.Stopwatch;
 import com.password4j.Hash;
 import com.password4j.PBKDF2Function;
 import com.password4j.Password;
@@ -17,7 +18,6 @@
 import jakarta.ws.rs.core.NewCookie;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
-import org.apache.commons.lang3.time.StopWatch;
 
 /**
  * Implementation of the Double-Submit-Cookie Pattern.
@@ -39,6 +39,8 @@ public class CsrfTokenSetFilter implements ContainerRequestFilter, ContainerResp
 	 * This needs to be fast, because the hash is computed on every api request and it is only short-lived.
 	 */
 	private final static PBKDF2Function HASH_FUNCTION = PBKDF2Function.getInstance(Hmac.SHA256, 1000, 256);
+	public static final int COOKIE_MAX_AGE = 3600 /* seconds */;
+	public static final int SALT_LENGTH = 32;
 
 	private final Random random = new SecureRandom();
 
@@ -66,7 +68,7 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
 							   null,
 							   0,
 							   null,
-							   3600,
+							   COOKIE_MAX_AGE,
 							   null,
 							   requestContext.getSecurityContext().isSecure(),
 							   false
@@ -74,9 +76,9 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
 	}
 
 	private static String getTokenHash(String csrfToken) {
-		final StopWatch stopwatch = log.isTraceEnabled() ? Stopwatch.createStarted() : null;
+		final Stopwatch stopwatch = log.isTraceEnabled() ? Stopwatch.createStarted() : null;
 
-		final Hash hash = Password.hash(csrfToken).addRandomSalt(32).with(HASH_FUNCTION);
+		final Hash hash = Password.hash(csrfToken).addRandomSalt(SALT_LENGTH).with(HASH_FUNCTION);
 		
 		log.trace("Generated token in {}", stopwatch);
 		
@@ -95,10 +97,8 @@ public static boolean checkHash(String token, String hash) {
 		final String saltedHash = hash.substring(delimIdx + 1);
 
 		final byte[] salt = Base64.getDecoder().decode(encodedSalt);
-		final StopWatch stopwatch = new StopWatch("Check csrf token");
-		stopwatch.start();
+		final Stopwatch stopwatch = log.isTraceEnabled() ? Stopwatch.createStarted() : null;
 		final boolean decision = Password.check(token, saltedHash).addSalt(salt).with(HASH_FUNCTION);
-		stopwatch.stop();
 
 		log.trace("Checked token in {}", stopwatch);
 		return decision;

From 717b9228fec40b7fa4515791f969a06ce0713971 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Mon, 6 May 2024 11:56:06 +0200
Subject: [PATCH 10/11] rename DefaultAuthFilter -> Authfilter order filter
 priorities remove csrf-check property

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../java/com/bakdata/conquery/apiv1/ApiV1.java   |  6 +++---
 .../models/auth/AuthorizationController.java     | 10 +++++-----
 .../models/auth/basic/JWTokenHandler.java        |  6 ++----
 .../models/auth/develop/DevAuthConfig.java       |  8 ++++----
 .../auth/develop/UserIdTokenExtractor.java       |  4 ++--
 .../models/auth/web/AuthCookieFilter.java        |  9 +--------
 .../{DefaultAuthFilter.java => AuthFilter.java}  | 16 +++++++---------
 .../models/auth/web/RedirectingAuthFilter.java   |  9 +++++----
 .../auth/web/csrf/CsrfTokenCheckFilter.java      | 12 ++++++++----
 .../models/auth/web/csrf/CsrfTokenSetFilter.java | 12 ++++++++++++
 .../IntrospectionDelegatingRealmFactory.java     |  4 ++--
 .../config/auth/LocalAuthenticationConfig.java   |  4 ++--
 12 files changed, 53 insertions(+), 47 deletions(-)
 rename backend/src/main/java/com/bakdata/conquery/models/auth/web/{DefaultAuthFilter.java => AuthFilter.java} (89%)

diff --git a/backend/src/main/java/com/bakdata/conquery/apiv1/ApiV1.java b/backend/src/main/java/com/bakdata/conquery/apiv1/ApiV1.java
index a9cfc96914..ffc6ef6f4a 100644
--- a/backend/src/main/java/com/bakdata/conquery/apiv1/ApiV1.java
+++ b/backend/src/main/java/com/bakdata/conquery/apiv1/ApiV1.java
@@ -9,7 +9,7 @@
 import com.bakdata.conquery.io.result.ResultRender.ResultRendererProvider;
 import com.bakdata.conquery.metrics.ActiveUsersFilter;
 import com.bakdata.conquery.models.auth.basic.JWTokenHandler;
-import com.bakdata.conquery.models.auth.web.DefaultAuthFilter;
+import com.bakdata.conquery.models.auth.web.AuthFilter;
 import com.bakdata.conquery.models.forms.frontendconfiguration.FormConfigProcessor;
 import com.bakdata.conquery.models.forms.frontendconfiguration.FormProcessor;
 import com.bakdata.conquery.resources.ResourcesProvider;
@@ -63,8 +63,8 @@ protected void configure() {
 		 * We use the same instance of the filter for the api servlet and the admin servlet to have a single
 		 * point for authentication.
 		 */
-		jersey.register(DefaultAuthFilter.class);
-		DefaultAuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, jersey.getResourceConfig());
+		jersey.register(AuthFilter.class);
+		AuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, jersey.getResourceConfig());
 
 
 		jersey.register(IdParamConverter.Provider.INSTANCE);
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/AuthorizationController.java b/backend/src/main/java/com/bakdata/conquery/models/auth/AuthorizationController.java
index f36044bb6b..a6490c4b73 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/AuthorizationController.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/AuthorizationController.java
@@ -15,7 +15,7 @@
 import com.bakdata.conquery.models.auth.entities.User;
 import com.bakdata.conquery.models.auth.permissions.Ability;
 import com.bakdata.conquery.models.auth.permissions.ConqueryPermission;
-import com.bakdata.conquery.models.auth.web.DefaultAuthFilter;
+import com.bakdata.conquery.models.auth.web.AuthFilter;
 import com.bakdata.conquery.models.auth.web.RedirectingAuthFilter;
 import com.bakdata.conquery.models.config.ConqueryConfig;
 import com.bakdata.conquery.models.config.auth.AuthenticationRealmFactory;
@@ -85,18 +85,18 @@ public AuthorizationController(MetaStorage storage, ConqueryConfig config, Envir
 		this.adminServlet = adminServlet;
 
 		if (adminServlet != null) {
-			adminServlet.getJerseyConfig().register(DefaultAuthFilter.class);
-			DefaultAuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, adminServlet.getJerseyConfig());
+			adminServlet.getJerseyConfig().register(AuthFilter.class);
+			AuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, adminServlet.getJerseyConfig());
 
 			// The binding is necessary here because the RedirectingAuthFitler delegates to the DefaultAuthfilter at the moment
 			adminServlet.getJerseyConfigUI().register(new AbstractBinder() {
 				@Override
 				protected void configure() {
-					bindAsContract(DefaultAuthFilter.class);
+					bindAsContract(AuthFilter.class);
 				}
 			});
 			adminServlet.getJerseyConfigUI().register(RedirectingAuthFilter.class);
-			DefaultAuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, adminServlet.getJerseyConfigUI());
+			AuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, adminServlet.getJerseyConfigUI());
 		}
 
 		unprotectedAuthAdmin = AuthServlet.generalSetup(environment.metrics(), config, environment.admin(), environment.getObjectMapper());
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/basic/JWTokenHandler.java b/backend/src/main/java/com/bakdata/conquery/models/auth/basic/JWTokenHandler.java
index e29fbc5df6..04930ca201 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/basic/JWTokenHandler.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/basic/JWTokenHandler.java
@@ -9,10 +9,9 @@
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTDecodeException;
-import com.bakdata.conquery.models.auth.web.DefaultAuthFilter;
+import com.bakdata.conquery.models.auth.web.AuthFilter;
 import io.dropwizard.auth.oauth.OAuthCredentialAuthFilter;
 import io.dropwizard.util.Duration;
-import jakarta.inject.Named;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.core.HttpHeaders;
 import lombok.experimental.UtilityClass;
@@ -21,7 +20,6 @@
 import org.apache.commons.lang3.time.DateUtils;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.BearerToken;
-import org.jvnet.hk2.annotations.Service;
 
 @UtilityClass
 @Slf4j
@@ -100,7 +98,7 @@ public static String generateTokenSecret() {
 	 * @param request
 	 * @return
 	 */
-	public static class JWTokenExtractor implements DefaultAuthFilter.TokenExtractor {
+	public static class JWTokenExtractor implements AuthFilter.TokenExtractor {
 
 		@Override
 		public AuthenticationToken apply(ContainerRequestContext request) {
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/develop/DevAuthConfig.java b/backend/src/main/java/com/bakdata/conquery/models/auth/develop/DevAuthConfig.java
index cb887b9b9f..d28e350c44 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/develop/DevAuthConfig.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/develop/DevAuthConfig.java
@@ -3,7 +3,7 @@
 import com.bakdata.conquery.io.cps.CPSType;
 import com.bakdata.conquery.models.auth.AuthorizationController;
 import com.bakdata.conquery.models.auth.ConqueryAuthenticationRealm;
-import com.bakdata.conquery.models.auth.web.DefaultAuthFilter;
+import com.bakdata.conquery.models.auth.web.AuthFilter;
 import com.bakdata.conquery.models.config.ConqueryConfig;
 import com.bakdata.conquery.models.config.auth.AuthenticationRealmFactory;
 import com.bakdata.conquery.models.identifiable.ids.specific.UserId;
@@ -19,10 +19,10 @@ public class DevAuthConfig implements AuthenticationRealmFactory {
 	@Override
 	public ConqueryAuthenticationRealm createRealm(Environment environment, ConqueryConfig config, AuthorizationController authorizationController) {
 
-		DefaultAuthFilter.registerTokenExtractor(UserIdTokenExtractor.class, environment.jersey().getResourceConfig());
+		AuthFilter.registerTokenExtractor(UserIdTokenExtractor.class, environment.jersey().getResourceConfig());
 		if (authorizationController.getAdminServlet() != null) {
-			DefaultAuthFilter.registerTokenExtractor(UserIdTokenExtractor.class, authorizationController.getAdminServlet().getJerseyConfig());
-			DefaultAuthFilter.registerTokenExtractor(UserIdTokenExtractor.class, authorizationController.getAdminServlet().getJerseyConfigUI());
+			AuthFilter.registerTokenExtractor(UserIdTokenExtractor.class, authorizationController.getAdminServlet().getJerseyConfig());
+			AuthFilter.registerTokenExtractor(UserIdTokenExtractor.class, authorizationController.getAdminServlet().getJerseyConfigUI());
 		}
 
 		// Use the first defined user als the default user. This is usually the superuser if the DevelopmentAuthorizationConfig is set
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/develop/UserIdTokenExtractor.java b/backend/src/main/java/com/bakdata/conquery/models/auth/develop/UserIdTokenExtractor.java
index 3c5f513e51..cd906eac6c 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/develop/UserIdTokenExtractor.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/develop/UserIdTokenExtractor.java
@@ -1,6 +1,6 @@
 package com.bakdata.conquery.models.auth.develop;
 
-import com.bakdata.conquery.models.auth.web.DefaultAuthFilter;
+import com.bakdata.conquery.models.auth.web.AuthFilter;
 import com.bakdata.conquery.models.identifiable.ids.specific.UserId;
 import jakarta.inject.Named;
 import jakarta.ws.rs.container.ContainerRequestContext;
@@ -15,7 +15,7 @@
 @RequiredArgsConstructor
 @Service
 @Named("user-id")
-public class UserIdTokenExtractor implements DefaultAuthFilter.TokenExtractor {
+public class UserIdTokenExtractor implements AuthFilter.TokenExtractor {
 
 	private static final String UID_QUERY_STRING_PARAMETER = "access_token";
 
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
index 27a35cf25f..25ab71e036 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthCookieFilter.java
@@ -4,12 +4,10 @@
 
 import java.io.IOException;
 
-import com.bakdata.conquery.models.auth.web.csrf.CsrfTokenCheckFilter;
 import com.bakdata.conquery.models.config.ConqueryConfig;
 import com.google.common.base.Strings;
 import jakarta.annotation.Priority;
 import jakarta.inject.Inject;
-import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.Priorities;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
@@ -48,7 +46,7 @@ public class AuthCookieFilter implements ContainerRequestFilter, ContainerRespon
 
 	/**
 	 * The filter tries to extract a token from a cookie and puts it into the
-	 * authorization header of the request. This simplifies the token retrival
+	 * authorization header of the request. This simplifies the token retrieval
 	 * process for the realms.
 	 */
 	@Override
@@ -60,11 +58,6 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 
 		String queryToken = requestContext.getUriInfo().getQueryParameters().getFirst(ACCESS_TOKEN);
 
-		final Object csrfCheckSuccess = requestContext.getProperty(CsrfTokenCheckFilter.CSRF_CHECK_SUCCESS_PROPERTY);
-		if (csrfCheckSuccess == null || !(boolean) csrfCheckSuccess) {
-			throw new ForbiddenException("Found an authentication cookie, but csrf check was not successful");
-		}
-
 		if(!cookie.getValue().isEmpty() && queryToken != null) {
 			log.trace("Ignoring cookie");
 			return;
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/DefaultAuthFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthFilter.java
similarity index 89%
rename from backend/src/main/java/com/bakdata/conquery/models/auth/web/DefaultAuthFilter.java
rename to backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthFilter.java
index a1793ebb27..24a0273966 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/DefaultAuthFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/AuthFilter.java
@@ -8,7 +8,6 @@
 import com.bakdata.conquery.models.auth.ConqueryAuthenticator;
 import com.bakdata.conquery.models.auth.entities.Subject;
 import com.google.common.base.Function;
-import io.dropwizard.auth.AuthFilter;
 import io.dropwizard.auth.DefaultUnauthorizedHandler;
 import jakarta.annotation.Priority;
 import jakarta.inject.Inject;
@@ -17,9 +16,6 @@
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.PreMatching;
 import jakarta.ws.rs.core.SecurityContext;
-import jakarta.ws.rs.ext.Provider;
-import lombok.RequiredArgsConstructor;
-import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationToken;
@@ -32,17 +28,19 @@
  * security relevant information for protected resources. The request is first
  * submitted to the registered {@link ConqueryAuthenticationRealm}s for the
  * token extraction, then the extracted tokens are submitted these realms
- * through Dropwizards {@link AuthFilter} and Shiro.
+ * through Dropwizards {@link io.dropwizard.auth.AuthFilter} and Shiro.
  */
 @Slf4j
 @PreMatching
-@Priority(Priorities.AUTHENTICATION)
-public class DefaultAuthFilter extends AuthFilter<AuthenticationToken, Subject> {
+@Priority(AuthFilter.PRIORITY)
+public class AuthFilter extends io.dropwizard.auth.AuthFilter<AuthenticationToken, Subject> {
+
+	public static final int PRIORITY = Priorities.AUTHENTICATION;
 
 	private final IterableProvider<TokenExtractor> tokenExtractors;
 
 	@Inject
-	public DefaultAuthFilter(IterableProvider<TokenExtractor> tokenExtractors) {
+	public AuthFilter(IterableProvider<TokenExtractor> tokenExtractors) {
 		this.tokenExtractors = tokenExtractors;
 		this.authenticator = new ConqueryAuthenticator();
 		this.unauthorizedHandler = new DefaultUnauthorizedHandler();
@@ -102,7 +100,7 @@ public static void registerTokenExtractor(Class<? extends TokenExtractor> extrac
 	 * Authenticating realms need to be able to extract a token from a request. How
 	 * it performs the extraction is implementation dependent. Anyway the realm
 	 * should NOT alter the request. This function is called prior to the
-	 * authentication process in the {@link DefaultAuthFilter}. After the token
+	 * authentication process in the {@link AuthFilter}. After the token
 	 * extraction process the Token is resubmitted to the realm from the AuthFilter
 	 * to the {@link ConqueryAuthenticator} which dispatches it to shiro.
 	 *
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/RedirectingAuthFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/RedirectingAuthFilter.java
index c1ed9cca47..4d4a214bfd 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/RedirectingAuthFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/RedirectingAuthFilter.java
@@ -8,7 +8,6 @@
 
 import com.bakdata.conquery.models.auth.entities.User;
 import com.bakdata.conquery.resources.admin.ui.model.UIView;
-import io.dropwizard.auth.AuthFilter;
 import jakarta.annotation.Priority;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.BadRequestException;
@@ -40,10 +39,12 @@
  * the login schema can be chosen.
  */
 @Slf4j
-@Priority(Priorities.AUTHENTICATION - 1)
+@Priority(RedirectingAuthFilter.PRIORITY)
 @PreMatching
 @RequiredArgsConstructor(onConstructor_ = {@Inject})
-public class RedirectingAuthFilter extends AuthFilter<AuthenticationToken, User> {
+public class RedirectingAuthFilter extends io.dropwizard.auth.AuthFilter<AuthenticationToken, User> {
+
+	public static final int PRIORITY = Priorities.AUTHENTICATION;
 
 	public static final String REDIRECT_URI = "redirect_uri";
 	/**
@@ -61,7 +62,7 @@ public class RedirectingAuthFilter extends AuthFilter<AuthenticationToken, User>
 	/**
 	 * The Filter that checks if a request was authenticated
 	 */
-	private final DefaultAuthFilter delegate;
+	private final AuthFilter delegate;
 
 	public static void registerLoginInitiator(ResourceConfig resourceConfig, LoginInitiator initiator, final String name) {
 		resourceConfig.register(new AbstractBinder() {
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
index e535353b7c..910af59848 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenCheckFilter.java
@@ -6,6 +6,7 @@
 import com.bakdata.conquery.models.auth.web.AuthCookieFilter;
 import jakarta.annotation.Priority;
 import jakarta.ws.rs.ForbiddenException;
+import jakarta.ws.rs.HttpMethod;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
 import jakarta.ws.rs.core.Cookie;
@@ -22,8 +23,6 @@
 public class CsrfTokenCheckFilter implements ContainerRequestFilter {
 	public static final String CSRF_TOKEN_HEADER = "X-Csrf-Token";
 
-	public static final String CSRF_CHECK_SUCCESS_PROPERTY = "csrf-check";
-
 	@Override
 	public void filter(ContainerRequestContext requestContext) throws IOException {
 		final String
@@ -31,6 +30,13 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 				Optional.ofNullable(requestContext.getCookies().get(CsrfTokenSetFilter.CSRF_COOKIE_NAME)).map(Cookie::getValue).orElse(null);
 		final String headerToken = requestContext.getHeaders().getFirst(CSRF_TOKEN_HEADER);
 
+		final String method = requestContext.getMethod();
+
+		if (HttpMethod.GET.equals(method) || HttpMethod.HEAD.equals(method) || HttpMethod.OPTIONS.equals(method)) {
+			log.trace("Skipping csrf check because request is not state changing (method={})", method);
+			return;
+		}
+
 		if (cookieTokenHash == null) {
 			log.trace("Request had no csrf token set. Accepting request");
 			return;
@@ -47,8 +53,6 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 			throw new ForbiddenException("CSRF Attempt");
 		}
 
-		requestContext.setProperty(CSRF_CHECK_SUCCESS_PROPERTY, true);
-
 		log.trace("Csrf check successful");
 	}
 }
diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
index c2d350d447..939db8a213 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/CsrfTokenSetFilter.java
@@ -5,11 +5,13 @@
 import java.util.Base64;
 import java.util.Random;
 
+import com.bakdata.conquery.models.auth.web.AuthCookieFilter;
 import com.google.common.base.Stopwatch;
 import com.password4j.Hash;
 import com.password4j.PBKDF2Function;
 import com.password4j.Password;
 import com.password4j.types.Hmac;
+import jakarta.annotation.Priority;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
 import jakarta.ws.rs.container.ContainerResponseContext;
@@ -18,6 +20,7 @@
 import jakarta.ws.rs.core.NewCookie;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 /**
  * Implementation of the Double-Submit-Cookie Pattern.
@@ -27,8 +30,12 @@
  *     <li>In the response payload. This filter sets a request property, which is eventually provided to freemarker.
  *     Freemarker then writes the token into payload (see base.html.ftl)</li>
  * </ul>
+ *
+ * This filter is only installed on the ui side of the admin servlet and should to be evaluated before any authentication.
+ * Hence, its priority is lower.
  */
 @Slf4j
+@Priority(AuthCookieFilter.PRIORITY - 100)
 public class CsrfTokenSetFilter implements ContainerRequestFilter, ContainerResponseFilter {
 
 	public static final String CSRF_COOKIE_NAME = "csrf_token";
@@ -56,6 +63,11 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 	public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
 		final String csrfToken = getCsrfTokenProperty(requestContext);
 
+		if (StringUtils.isBlank(csrfToken)) {
+			log.warn("No csrf-token was registered for this request. Skipping csrf-cookie creation.");
+			return;
+		}
+
 		final String csrfTokenHash = getTokenHash(csrfToken);
 
 		log.trace("Hashed token for cookie. token='{}' hash='{}'", csrfToken, csrfTokenHash);
diff --git a/backend/src/main/java/com/bakdata/conquery/models/config/auth/IntrospectionDelegatingRealmFactory.java b/backend/src/main/java/com/bakdata/conquery/models/config/auth/IntrospectionDelegatingRealmFactory.java
index 6220c3ba40..3501c01c67 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/config/auth/IntrospectionDelegatingRealmFactory.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/config/auth/IntrospectionDelegatingRealmFactory.java
@@ -9,7 +9,7 @@
 import com.bakdata.conquery.models.auth.basic.JWTokenHandler;
 import com.bakdata.conquery.models.auth.oidc.IntrospectionDelegatingRealm;
 import com.bakdata.conquery.models.auth.oidc.keycloak.KeycloakApi;
-import com.bakdata.conquery.models.auth.web.DefaultAuthFilter;
+import com.bakdata.conquery.models.auth.web.AuthFilter;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
 import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
@@ -49,7 +49,7 @@ public class IntrospectionDelegatingRealmFactory extends Configuration {
 	public ConqueryAuthenticationRealm createRealm(Environment environment, AuthorizationController authorizationController) {
 
 		// Register token extractor for JWT Tokens
-		DefaultAuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, environment.jersey().getResourceConfig());
+		AuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, environment.jersey().getResourceConfig());
 
 		// At start up, try tp retrieve the idp client api object if possible. If the idp service is not up don't fail start up.
 		authClient = getAuthClient(false);
diff --git a/backend/src/main/java/com/bakdata/conquery/models/config/auth/LocalAuthenticationConfig.java b/backend/src/main/java/com/bakdata/conquery/models/config/auth/LocalAuthenticationConfig.java
index 4ea4956d42..cde3dea9fa 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/config/auth/LocalAuthenticationConfig.java
+++ b/backend/src/main/java/com/bakdata/conquery/models/config/auth/LocalAuthenticationConfig.java
@@ -13,7 +13,7 @@
 import com.bakdata.conquery.models.auth.basic.JWTokenHandler;
 import com.bakdata.conquery.models.auth.basic.LocalAuthenticationRealm;
 import com.bakdata.conquery.models.auth.basic.UserAuthenticationManagementProcessor;
-import com.bakdata.conquery.models.auth.web.DefaultAuthFilter;
+import com.bakdata.conquery.models.auth.web.AuthFilter;
 import com.bakdata.conquery.models.auth.web.RedirectingAuthFilter;
 import com.bakdata.conquery.models.config.ConqueryConfig;
 import com.bakdata.conquery.models.config.XodusConfig;
@@ -79,7 +79,7 @@ boolean isStorageEncrypted() {
 	@Override
 	public ConqueryAuthenticationRealm createRealm(Environment environment, ConqueryConfig config, AuthorizationController authorizationController) {
 		// Token extractor is not needed because this realm depends on the ConqueryTokenRealm
-		DefaultAuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, environment.jersey().getResourceConfig());
+		AuthFilter.registerTokenExtractor(JWTokenHandler.JWTokenExtractor.class, environment.jersey().getResourceConfig());
 
 		log.info("Performing benchmark for default hash function (bcrypt) with max_milliseconds={}", BCRYPT_MAX_MILLISECONDS);
 		final BenchmarkResult<BcryptFunction> result = SystemChecker.benchmarkBcrypt(BCRYPT_MAX_MILLISECONDS);

From 0a48af0c436bff820af55368765e794521e54ae6 Mon Sep 17 00:00:00 2001
From: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
Date: Mon, 6 May 2024 13:12:59 +0200
Subject: [PATCH 11/11] update readme

Signed-off-by: Max Thonagel <12283268+thoniTUB@users.noreply.github.com>
---
 .../com/bakdata/conquery/models/auth/web/csrf/ReadMe.md     | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md
index b5d86e54c1..d1d36264e0 100644
--- a/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md
+++ b/backend/src/main/java/com/bakdata/conquery/models/auth/web/csrf/ReadMe.md
@@ -18,13 +18,7 @@ The UI-servlet provides all html resources for the browser.
 
 This filter is installed on the API-servlet. It extracts the double submitted token from a requests and validates them.
 If the request did not contain a csrf token cookie (e.g. request was initiated by cURL) the filter does nothing.
-If a csrf check was successful, the request is marked.
 
 This filter is not installed on the UI-servlet. Even though this servlet's responses contain sensitive data, it only
 provides GET-endpoints, which are not state altering and thus don't need csrf protection. On the API-servlet side we
 validate all requests for simplicity.
-
-## [AuthCookieFilter](../AuthCookieFilter.java)
-
-The mark set by the CsrfTokenCheckFilter is then checked by the AuthCookieFilter, when it encounters an auth-cookie.
-If an AuthCookie is provided, but no csrf check happened before, the request is rejected.
\ No newline at end of file