React + springboot csrf

Question

i've a react application inside a springboot project, the react application use rest calls for get/set stuff. Actually i've disabled csrf inside the configure adapter .csrf().disable() but i'd like to menage this. How can i handle csrf token between react and springboot?

I think that i should pass the token through my axios call, but how i get it?

Thanks

Answer 1

The answer above I think it used an old spring security version. There's an easy way. For springboot backend, you can just do

.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())

And for in react, you can do the way in that answer but don't forgot using <CookiesProvider> to wrap up what you return

Or you can just get the token from document.cookie. There should be a pair starting with XSRF-TOKEN=

And csrf should not be applied to GET method.

Answer 2

You need to save CSRF-TOKEN to cookie and send it back with the request header.

SecurityConfig class.

Enable csrftokenrepsitory

         .csrf().csrfTokenRepository(csrfTokenRepository()).and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).addFilterAfter(new XSSFilter(), CsrfFilter.class);

Add csrfTokenRepository

       private CsrfTokenRepository csrfTokenRepository() {
    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
    repository.setHeaderName(X_CSRF_TOKEN);
    return repository;
}

In react, you can access token from the cookie.

    csrfToken=  cookies.get('XSRF-TOKEN');

Send it as follows in the header.

     headers: {
    'X-XSRF-TOKEN': this.csrfToken,
    'Accept': 'application/json',
    'Content-Type': 'application/json'
  },

https://github.com/supun/okta-spring-boot-react-crud-example/blob/master/src/main/java/com/okta/developer/jugtours/config/SecurityConfiguration.java