1. Only add the CSRF token on a POST request.

2. Optionally allow the binding of a Test HTTP Request consumer.
prime-framework · Jan 22, 2025 · 73a6385 · 73a6385
1 parent 967640f
commit 73a6385
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 10 deletions.
diff --git a/build.savant b/build.savant
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2024, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2014-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@ logbackVersion = "1.4.14"
 slf4jVersion = "2.0.13"
 testngVersion = "7.8.0"
 
-project(group: "org.primeframework", name: "prime-mvc", version: "4.28.0", licenses: ["ApacheV2_0"]) {
+project(group: "org.primeframework", name: "prime-mvc", version: "4.29.0", licenses: ["ApacheV2_0"]) {
   workflow {
     fetch {
       // Dependency resolution order:

diff --git a/src/test/java/org/primeframework/mvc/test/RequestBuilder.java b/src/test/java/org/primeframework/mvc/test/RequestBuilder.java
@@ -45,6 +45,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.ConfigurationException;
 import com.google.inject.Injector;
 import io.fusionauth.http.Cookie;
 import io.fusionauth.http.Cookie.SameSite;
@@ -832,18 +833,29 @@ HTTPResponseWrapper run() {
 
     // Now that the cookies are ready, if the CSRF token is enabled and the parameter isn't set, we set it to be consistent
     // since the [@control.form] would normally set that into the form and into the request.
-    MVCConfiguration configuration = injector.getInstance(MVCConfiguration.class);
-    if (configuration.csrfEnabled()) {
-      CSRFProvider csrfProvider = injector.getInstance(CSRFProvider.class);
-      if (csrfProvider.getTokenFromRequest(request) == null) {
-        String token = csrfProvider.getToken(request);
-        if (token != null) {
-          String parameterName = csrfProvider.getParameterName();
-          request.addURLParameter(parameterName, token);
+    if (request.getMethod() == HTTPMethod.POST) {
+      MVCConfiguration configuration = injector.getInstance(MVCConfiguration.class);
+      if (configuration.csrfEnabled()) {
+        CSRFProvider csrfProvider = injector.getInstance(CSRFProvider.class);
+        if (csrfProvider.getTokenFromRequest(request) == null) {
+          String token = csrfProvider.getToken(request);
+          if (token != null) {
+            String parameterName = csrfProvider.getParameterName();
+            requestBodyParameters.put(parameterName, List.of(token));
+          }
         }
       }
     }
 
+    // Optionally allow the caller to consume the HTTP request in order to mutate it and what not.
+    try {
+      RequestBuilderHTTPRequestConsumer httpRequestConsumer = injector.getInstance(RequestBuilderHTTPRequestConsumer.class);
+      if (httpRequestConsumer != null) {
+        httpRequestConsumer.accept(request);
+      }
+    } catch (ConfigurationException ignore) {
+    }
+
     List<Locale> locales = request.getLocales();
     String contentType = request.getContentType();
     Charset characterEncoding = request.getCharacterEncoding();

diff --git a/src/test/java/org/primeframework/mvc/test/RequestBuilderHTTPRequestConsumer.java b/src/test/java/org/primeframework/mvc/test/RequestBuilderHTTPRequestConsumer.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2025, Inversoft Inc., All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
+ */
+package org.primeframework.mvc.test;
+
+import io.fusionauth.http.server.HTTPRequest;
+
+/**
+ * A test HTTP request consumer to allow modifications of the HTTP request during the HTTP request simulator.
+ *
+ * @author Daniel DeGroff
+ */
+public interface RequestBuilderHTTPRequestConsumer {
+  /**
+   * @param httpRequest the http request
+   */
+  void accept(HTTPRequest httpRequest);
+}