Contrib.social

Add action / condition whether current request has valid CSRF token

Open on Drupal.org →
Created on 9 April 2025, about 1 month ago

Problem/Motivation

Some users might want to configure ECA endpoints that perform write operations.
When providing an Http endpoint to write some sensitive data, this endpoint usually needs to be protected by requiring a valid CSRF token.

Route definitions can do it by specifying following:

requirements:
  _csrf_token: 'TRUE'

Alternatively, another requirement can be defined to set a CSRF token as http header.

Right now it doesn't seem that we have a way to verify that the current request provides a valid CSRF token, either as query URL argument or http header (X-CSRF-Token).

Steps to reproduce

Proposed resolution

  • Add a new condition that verifies whether current request has a valid CSRF token.
  • Add an action to get a valid CSRF token and store it as a token. The token can then be used to create URL paths to protected endpoints.

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Active

Version

2.1

Component

Miscellaneous

Created by

🇩🇪Germany mxh Offenburg

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mxh
  • Comment about 1 month ago
    🇩🇪Germany mxh Offenburg
  • Comment about 1 month ago
    🇩🇪Germany jurgenhaas Gottmadingen

    Thought about that myself while dealing with the security advisory around the eca.save route. I was wondering if we shouldn't start by adding a checkbox to the endpoint events to allow for either of the CSRF tokens as requirements. That would then go into the route definition and by that, the ECA endpoint route will be protected.

    Now, when a link to that route gets created, the Url generator from Drupal will create that link with the necessary query parameter. When that link will be used (i.e. clicked), Drupal will automatically verify the token without ECA having to do anything.

    Do we then still need extra conditions? I'm probably missing something.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024