Merge pull request #18644 from nextcloud/harden/csrf_endpoint

Only allow requesting new CSRF tokens if it passes the SameSite Cooki…

core/Controller/CSRFTokenController.php

@@ -28,6 +28,7 @@ namespace OC\Core\Controller;
 
 use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 
@@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
 	 * @return JSONResponse
 	 */
 	public function index(): JSONResponse {
+		if (!$this->request->passesStrictCookieCheck()) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$requestToken = $this->tokenManager->getToken();
 
 		return new JSONResponse([

tests/Core/Controller/CSRFTokenControllerTest.php

@@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase {
 			$this->tokenManager);
 	}
 
-	public function testGetToken() {
+	public function testGetToken(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(true);
+
 		$token = $this->createMock(CsrfToken::class);
 		$this->tokenManager->method('getToken')->willReturn($token);
 		$token->method('getEncryptedValue')->willReturn('toktok123');
@@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase {
 			], $response->getData());
 	}
 
+	public function testGetTokenNoStrictSameSiteCookie(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(false);
+
+		$response = $this->controller->index();
+
+		$this->assertInstanceOf(JSONResponse::class, $response);
+		$this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
 }