https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42876
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |In Discussion --- Comment #4 from David Cook <[email protected]> --- I've been worried about CSRF tokens expiring in Vue apps for a while, so it's good to see some work on this. But I don't think an /api/v1/auth/csrf endpoint is the way to do it. Personally, I would use a GET endpoint like /api/v1/me (or /api/v1/auth/session or something like that). The idea being that you're checking on the session and it returns a CSRF token with its response. But that thought then got me thinking... why do we expire tokens based on time? I suppose the idea is that if a token gets stolen that it expires after a certain amount of time, but 8 hours is a long time and really we're trying to authenticate that the request was made by the user's session. (This comes up a lot online and in places like OWASP "Should Timestamps be Included in CSRF Tokens for Expiration?": https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-hmac-csrf-tokens - although there is some mixed messages on per-request tokens on that cheatsheet.) I think the main reason we use time expiry is because WWW::CSRF forces us too. I'm just about to jump into a quick meeting but I'll return here shortly... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
