Skip to content

Make backend auth extendable if other auth providers are desired #5196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
jbrunton96 wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Make backend auth extendable if other auth providers are desired #5196

jbrunton96 wants to merge 3 commits into from

Conversation

@jbrunton96
Copy link
Contributor

@jbrunton96 jbrunton96 commented Dec 9, 2025

Description of Changes

Make backend auth extendable if other auth providers are desired

@jbrunton96 jbrunton96 self-assigned this Dec 9, 2025
@stirlingbot stirlingbot bot added Java Pull requests that update Java code Back End Issues related to back-end development Security Security-related issues or pull requests labels Dec 9, 2025
@jbrunton96 jbrunton96 force-pushed the configurable-backend-auth branch from 6c55712 to b2297c2 Compare December 9, 2025 15:13
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 9, 2025
View reviewed changes
...ava/stirling/software/proprietary/security/configuration/DefaultSecurityChainConfigurer.java
http.cors(cors -> cors.disable());
}

http.csrf(CsrfConfigurer::disable);

Check failure

Code scanning / CodeQL

Disabled Spring CSRF protection High

CSRF vulnerability due to protection being disabled.

Copilot Autofix

AI 6 days ago

To fix the problem, we must not disable CSRF protection globally. That is: remove or comment out the line http.csrf(CsrfConfigurer::disable); so the application retains the default (enabled) Spring Security CSRF protection. If there are specific endpoints (e.g., true API endpoints that only accept stateless authentication such as JWT) that should be excluded from CSRF, this should be done with careful use of the .ignoringRequestMatchers() method, specifying only those endpoints, rather than using disable() globally. However, without seeing relevant endpoint-specific logic and as per instructions, we should simply remove the line disabling CSRF to restore secure defaults, and avoid altering existing functionality otherwise.

All edits will be within the method configure(HttpSecurity http) of DefaultSecurityChainConfigurer in the file shown.

Suggested changeset 1
app/proprietary/src/main/java/stirling/software/proprietary/security/configuration/DefaultSecurityChainConfigurer.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/configuration/DefaultSecurityChainConfigurer.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/configuration/DefaultSecurityChainConfigurer.java
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/configuration/DefaultSecurityChainConfigurer.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/configuration/DefaultSecurityChainConfigurer.java
@@ -130,7 +130,7 @@
             http.cors(cors -> cors.disable());
         }
 
-        http.csrf(CsrfConfigurer::disable);
+        // Removed global CSRF disabling to preserve default CSRF protection
 
         if (loginEnabledValue) {
             boolean v2Enabled = appConfig.v2Enabled();
EOF
@@ -130,7 +130,7 @@
http.cors(cors -> cors.disable());
}

http.csrf(CsrfConfigurer::disable);
// Removed global CSRF disabling to preserve default CSRF protection

if (loginEnabledValue) {
boolean v2Enabled = appConfig.v2Enabled();
Copilot is powered by AI and may make mistakes. Always verify output.
@jbrunton96 jbrunton96 force-pushed the configurable-backend-auth branch from b2297c2 to 812296a Compare December 9, 2025 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DarioGii DarioGii Awaiting requested review from DarioGii DarioGii will be requested when the pull request is marked ready for review DarioGii is a code owner

@Frooodle Frooodle Awaiting requested review from Frooodle Frooodle will be requested when the pull request is marked ready for review Frooodle is a code owner

@Ludy87 Ludy87 Awaiting requested review from Ludy87 Ludy87 will be requested when the pull request is marked ready for review Ludy87 is a code owner

@ConnorYoh ConnorYoh Awaiting requested review from ConnorYoh ConnorYoh will be requested when the pull request is marked ready for review ConnorYoh is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@jbrunton96 jbrunton96

Labels

Back End Issues related to back-end development Java Pull requests that update Java code Security Security-related issues or pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbrunton96