From 0c7963d6eba025cb79102b4d6709e208dac0d37e Mon Sep 17 00:00:00 2001
From: artie <artie@tumbr.com>
Date: Tue, 10 Oct 2017 15:24:03 -0400
Subject: [PATCH] adding csrf protection, excluding api endpoints

---
 app/Global.scala                      | 32 ++++++++++++++++++---------
 app/views/login.scala.html            |  1 +
 app/views/main.scala.html             |  1 +
 app/views/resources/create.scala.html |  1 +
 build.sbt                             |  2 +-
 project/plugins.sbt                   |  2 +-
 6 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/app/Global.scala b/app/Global.scala
index 23dbafc29..c3320c2db 100644
--- a/app/Global.scala
+++ b/app/Global.scala
@@ -1,15 +1,10 @@
 import scala.concurrent.Future
-
 import play.api.Application
 import play.api.GlobalSettings
 import play.api.Logger
 import play.api.Mode
 import play.api.Play
-import play.api.mvc.Handler
-import play.api.mvc.RequestHeader
-import play.api.mvc.Result
-import play.api.mvc.Results
-
+import play.api.mvc._
 import collins.callbacks.Callback
 import collins.controllers.ApiResponse
 import collins.db.DB
@@ -30,8 +25,9 @@ import collins.util.config.Registry
 import collins.util.security.AuthenticationAccessor
 import collins.util.security.AuthenticationProvider
 import collins.util.security.AuthenticationProviderConfig
+import play.filters.csrf._
 
-object Global extends GlobalSettings with AuthenticationAccessor with CryptoAccessor {
+object Global extends WithFilters(new OptionalCSRFFilter(CSRFFilter())) with GlobalSettings with AuthenticationAccessor with CryptoAccessor {
   private[this] val logger = Logger.logger
 
   override def beforeStart(app: Application) {
@@ -78,11 +74,12 @@ object Global extends GlobalSettings with AuthenticationAccessor with CryptoAcce
 
   override def onError(request: RequestHeader, ex: Throwable): Future[Result] = {
     logger.warn("Unhandled exception", ex)
-    val debugOutput = Play.maybeApplication.map {
-      case app if app.mode == Mode.Dev => true
-      case app if app.mode == Mode.Test => true
+    val debugOutput = Play.maybeApplication match {
+      case Some(Mode.Dev) => true
+      case Some(Mode.Test) => true
       case _ => false
-    }.getOrElse(true)
+    }
+
     val status = Results.InternalServerError
     val err = if (debugOutput) Some(ex) else None
     OutputType(request) match {
@@ -154,3 +151,16 @@ object Global extends GlobalSettings with AuthenticationAccessor with CryptoAcce
     authen
   }
 }
+
+class OptionalCSRFFilter(filter: CSRFFilter) extends EssentialFilter {
+
+  override def apply(nextFilter: EssentialAction): EssentialAction = new EssentialAction {
+
+    //thanks to dominik dorn for the writeup on exlusion filters
+    //more here: https://dominikdorn.com/2014/07/playframework-2-3-global-csrf-protection-disable-csrf-selectively/
+    override def apply(rh: RequestHeader) = {
+      val chainedFilter = filter.apply(nextFilter)
+      if (rh.path.startsWith("/api/")) nextFilter(rh) else chainedFilter(rh)
+    }
+  }
+}
diff --git a/app/views/login.scala.html b/app/views/login.scala.html
index cccd8531e..7a14e17fb 100644
--- a/app/views/login.scala.html
+++ b/app/views/login.scala.html
@@ -53,6 +53,7 @@ <h1>Login <small>Enter your credentials.</small></h1>
           @loginForm("location").value.map { value =>
           <input type="hidden" name="location" value="@value">
           }
+          @helper.CSRF.formField
         }
       </div>
     </div>
diff --git a/app/views/main.scala.html b/app/views/main.scala.html
index a360b15e8..66b3a1677 100644
--- a/app/views/main.scala.html
+++ b/app/views/main.scala.html
@@ -89,6 +89,7 @@
             <input class="input-medium form-control" type="text" name="username" placeholder="Username">
             <input class="input-medium form-control" type="password" name="password" placeholder="Password">
             <button class="btn btn-default" type="submit">Sign in</button>
+	    @helper.CSRF.formField
           </form>
         </div>
       </div>
diff --git a/app/views/resources/create.scala.html b/app/views/resources/create.scala.html
index ce52e2d6b..d22d946da 100644
--- a/app/views/resources/create.scala.html
+++ b/app/views/resources/create.scala.html
@@ -54,6 +54,7 @@ <h1>Create <small>Make a new @atype.label.</small></h1>
               <button type="submit" class="btn btn-primary">Create @atype.label</button>
             </div>
           </div>
+          @helper.CSRF.formField
         </form>
       </div>
     </div>
diff --git a/build.sbt b/build.sbt
index 9cf9a2263..0fccd0607 100644
--- a/build.sbt
+++ b/build.sbt
@@ -56,4 +56,4 @@ libraryDependencies ++= Seq(
   "org.webjars" % "jquery" % "2.1.4",
   "com.hazelcast" % "hazelcast" % "3.5.2",
   ws
-)
+) :+ filters
diff --git a/project/plugins.sbt b/project/plugins.sbt
index 974d35f09..d0cb146e0 100644
--- a/project/plugins.sbt
+++ b/project/plugins.sbt
@@ -5,7 +5,7 @@ resolvers ++= Seq(
     "Sontype Releases" at "https://oss.sonatype.org/content/repositories/releases/"
 )
 
-addSbtPlugin("com.typesafe.play" % "sbt-plugin" % Option(System.getProperty("play.version")).getOrElse("2.3.9"))
+addSbtPlugin("com.typesafe.play" % "sbt-plugin" % Option(System.getProperty("play.version")).getOrElse("2.3.10"))
 
 addSbtPlugin("org.scalastyle" %% "scalastyle-sbt-plugin" % "0.6.0")