Merge pull request #1501 from GandalfTheBlack16/master

bnasslahsen · web-flow · commit 2015aaf1bd70 · 2022-02-27T05:11:33.000-08:00
Add option to get the CSRF token from the Session Storage
diff --git a/springdoc-openapi-common/src/main/java/org/springdoc/core/SwaggerUiConfigProperties.java b/springdoc-openapi-common/src/main/java/org/springdoc/core/SwaggerUiConfigProperties.java
@@ -145,6 +145,11 @@ public static class Csrf {
 		 */
 		private boolean useLocalStorage;
 
+		/**
+		 * Use Session storage.
+		 */
+		private boolean useSessionStorage;
+
 		/**
 		 * The Cookie name.
 		 */
@@ -155,6 +160,11 @@ public static class Csrf {
 		 */
 		private String localStorageKey = Constants.CSRF_DEFAULT_LOCAL_STORAGE_KEY;
 
+		/**
+		 * The Session storage key.
+		 */
+		private String sessionStorageKey = Constants.CSRF_DEFAULT_LOCAL_STORAGE_KEY;
+
 		/**
 		 * The Header name.
 		 */
@@ -187,6 +197,15 @@ public boolean isUseLocalStorage() {
 			return useLocalStorage;
 		}
 
+		/**
+		 * Use Session storage boolean.
+		 *
+		 * @return the boolean
+		 */
+		public boolean isUseSessionStorage() {
+			return useSessionStorage;
+		}
+
 		/**
 		 * Sets useLocalStorage.
 		 *
@@ -196,6 +215,15 @@ public void setUseLocalStorage(boolean useLocalStorage) {
 			this.useLocalStorage = useLocalStorage;
 		}
 
+		/**
+		 * Sets useSessionStorage.
+		 *
+		 * @param useSessionStorage the use local storage
+		 */
+		public void setUseSessionStorage(boolean useSessionStorage) {
+			this.useSessionStorage = useSessionStorage;
+		}
+
 		/**
 		 * Gets cookie name.
 		 *
@@ -223,6 +251,15 @@ public String getLocalStorageKey() {
 			return localStorageKey;
 		}
 
+		/**
+		 * Gets session storage key.
+		 *
+		 * @return the cookie name
+		 */
+		public String getSessionStorageKey() {
+			return sessionStorageKey;
+		}
+
 		/**
 		 * Sets local storage key.
 		 *
@@ -232,6 +269,15 @@ public void setLocalStorageKey(String localStorageKey) {
 			this.localStorageKey = localStorageKey;
 		}
 
+		/**
+		 * Sets local storage key.
+		 *
+		 * @param sessionStorageKey the local storage key
+		 */
+		public void setSessionStorageKey(String sessionStorageKey) {
+			this.sessionStorageKey = sessionStorageKey;
+		}
+
 		/**
 		 * Gets header name.
 		 *
diff --git a/springdoc-openapi-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java b/springdoc-openapi-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java
@@ -145,6 +145,8 @@ protected String defaultTransformations(InputStream inputStream) throws IOExcept
 		if (swaggerUiConfig.isCsrfEnabled()) {
 			if (swaggerUiConfig.getCsrf().isUseLocalStorage())
 				html = addCSRFLocalStorage(html);
+			else if (swaggerUiConfig.getCsrf().isUseSessionStorage())
+				html = addCSRFSessionStorage(html);
 			else
 				html = addCSRF(html);
 		}
@@ -226,21 +228,45 @@ protected String addCSRF(String html) {
 	protected String addCSRFLocalStorage(String html) {
 		StringBuilder stringBuilder = new StringBuilder();
 		stringBuilder.append("requestInterceptor: (request) => {\n");
-		stringBuilder.append("t\t\tconst value = window.localStorage.getItem('");
+		stringBuilder.append("\t\t\tconst value = window.localStorage.getItem('");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getLocalStorageKey() + "');\n");
-		stringBuilder.append("t\t\tconst currentURL = new URL(document.URL);\n");
-		stringBuilder.append("t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
-		stringBuilder.append("t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
-		stringBuilder.append("t\t\tif (isSameOrigin) ");
+		stringBuilder.append("\t\t\tconst currentURL = new URL(document.URL);\n");
+		stringBuilder.append("\t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
+		stringBuilder.append("\t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
+		stringBuilder.append("\t\t\tif (isSameOrigin) ");
 		stringBuilder.append("request.headers['");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
 		stringBuilder.append("'] = value;\n");
-		stringBuilder.append("t\t\treturn request;\n");
+		stringBuilder.append("\t\t\treturn request;\n");
 		stringBuilder.append("\t\t},\n");
         stringBuilder.append("\t\t" + PRESETS);
 		return html.replace(PRESETS, stringBuilder.toString());
 	}
 
+	/**
+	 * Add csrf string from Session storage.
+	 *
+	 * @param html the html
+	 * @return the string
+	 */
+	protected String addCSRFSessionStorage(String html) {
+		StringBuilder stringBuilder = new StringBuilder();
+		stringBuilder.append("requestInterceptor: (request) => {\n");
+		stringBuilder.append("\t\t\tconst value = window.sessionStorage.getItem('");
+		stringBuilder.append(swaggerUiConfig.getCsrf().getSessionStorageKey() + "');\n");
+		stringBuilder.append("\t\t\tconst currentURL = new URL(document.URL);\n");
+		stringBuilder.append("\t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
+		stringBuilder.append("\t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
+		stringBuilder.append("\t\t\tif (isSameOrigin) ");
+		stringBuilder.append("request.headers['");
+		stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
+		stringBuilder.append("'] = value.replace(/['\"]+/g,'');\n");
+		stringBuilder.append("\t\t\treturn request;\n");
+		stringBuilder.append("\t\t},\n");
+		stringBuilder.append("\t\t" + PRESETS);
+		return html.replace(PRESETS, stringBuilder.toString());
+	}
+
 	/**
 	 * Add syntax highlight string.
 	 *
