Comments (1)
ThomBreugelmans
commented on September 6, 2024
Spring boot apparently only sets the XSRF-TOKEN on requests that modify the state of the server (e.g. no GET), see section 3 in https://www.baeldung.com/spring-security-csrf
This means that an unauthenticated user who has not yet visited the site or ordered something, will not have an XSRF-TOKEN yet. And when they go to checkout they will make their first POST request, which will set their XSRF-TOKEN. However this request will also be rejected with a 403 because they do not have a valid token yet and the endpoint is protected. Though, if they try this again it will succeed as they now have a valid token.
I think the /checkout POST endpoint should not be protected with CSRF as it leads to these current issues, additionally there is no harm done by creating a checkout as it does not harm users (no money gets stolen, nor (personal) details).
from events.
Related Issues (20)
- Problems with loading Order Overview HOT 2
- Add tests for `AuthenticationServiceImpl`
- New Login Screen HOT 1
- Add creditcard and paypal payment methods HOT 2
- Add BTW to products HOT 1
- Fix DB migration schemes
- Cleanup database
- Cannot delete product
- Upgrade to Spring Boot 3 HOT 1
- Number of sold tickets incorect
- Add VAT to treasurer tab
- Scheduled task for deleting order reservations causes high database load due to wrong findAll() call
- Add Prometheus compatible metrics endpoint
- Issues with sales export
- Percentage of tickets scanned per user
- Automatic reminder emails HOT 1
- Fix committees for Google Groups (or Dienst2)
- [Deprecation] Fix trailing-slashes in URLs
- Improve error handling
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from events.