MOB-55 Disabled CSRF

demoBackend/src/demo-website/src/components/Login.vue

@@ -7,8 +7,9 @@
 
       <p class="text-center">Read more from <a href="https://github.com/TanelOrumaa/Estonian-ID-card-mobile-authenticator-POC">here.</a></p>
     </div>
+    <div id="canvas"></div>
     <div class="justify-content-center d-flex">
-      <div id="canvas"></div>
+
       <button type="button" class="btn loginButton btn-dark" v-on:click="authenticate">
         <div v-if="loading" class="d-flex justify-content-center">
           <div class="spinner-border text-light spinner-border-sm" role="status">
@@ -115,7 +116,7 @@ export default {
 }
 
 #canvas {
-  height: 5vh;
-  width: 5vh;
+  height: 30vh;
+  width: 30vh;
 }
 </style>

demoBackend/src/demo-website/src/components/Navbar.vue

@@ -22,8 +22,19 @@ export default {
   },
   methods: {
     logOut: function () {
-      this.$store.commit("setLoggedIn", false);
-      router.push("/");
+
+      const requestOptions = {
+        method: "POST",
+        headers: {"Content-Type": "application/json"},
+        body: JSON.stringify({"sessionId": this.$store.getters.getSessionId})
+      };
+      fetch("/auth/logout", requestOptions)
+          .then((response) => {
+                console.log(response);
+                this.$store.commit("setLoggedIn", false);
+                router.push("/");
+              }
+          )
     }
   },
   mounted() {
@@ -36,7 +47,7 @@ export default {
 </script>
 
 <style scoped>
-  nav {
-    height: 5vh;
-  }
+nav {
+  height: 5vh;
+}
 </style>

demoBackend/src/demo-website/src/web-eid.js

@@ -857,7 +857,7 @@ class IntentUrl {
         url += this.postFinalizeSigningUrl ? "&postFinalizeSigningUrl=\"" + encodeURIComponent(this.postFinalizeSigningUrl) + "\"" : "";
         url += this.applicationName ? "&applicationName=\"" + encodeURIComponent(this.applicationName) + "\"" : "";
         url += this.actionDescription ? "&actionDescription=\"" + encodeURIComponent(this.actionDescription) + "\"" : "";
-        url += this.headers ? "&headers=\"" + this.headers + "\"" : "";
+        url += this.headers ? "&headers=\"" + JSON.stringify(this.headers) + "\"" : "";
         url += this.userInteractionTimeout ? "&userInteractionTimeout=\"" + this.userInteractionTimeout + "\"" : "";
         url += this.serverRequestTimeout ? "&serverRequestTimeout=\"" + this.serverRequestTimeout + "\"" : "";
         url += this.lang ? "&lang=\"" + this.lang + "\"" : "";

demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/SecurityConfiguration.kt

@@ -14,8 +14,10 @@ class SecurityConfiguration : WebSecurityConfigurerAdapter() {
             ?.roles("USER")
     }
 
-    override fun configure(http: HttpSecurity?) {
-        http?.sessionManagement()?.sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
-        http?.authorizeRequests()?.antMatchers("/**")?.permitAll()
+    override fun configure(http: HttpSecurity) {
+        http.authorizeRequests()?.antMatchers("/**")?.permitAll()
+            ?.antMatchers("/auth/**")?.permitAll()
+        http.sessionManagement()?.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
+        http.csrf().disable()
     }
 }

demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/rest/AuthenticationController.kt

@@ -38,4 +38,12 @@ class AuthenticationController {
         }
         return auth
     }
+
+    @PostMapping("logout", consumes = [MediaType.APPLICATION_JSON_VALUE])
+    fun logOut(@RequestBody body: String) : HttpStatus? {
+        LOG.warn("I WAS HERE")
+        LOG.warn(body)
+        return HttpStatus.ACCEPTED
+
+    }
 }