BACKLOG-23424 - General refactoring of CSRF guard & caching / loading improvements

[jahia-ci]

Story for an important refactoring of the CSRF guard:

General

• Move https://github.com/Jahia/dummy-csrf-test-module inside the csrf-guard repo, as for every other modules
• Add a couple of cypress tests
• Upgrade the version of CSRFGuard library (i moved this one up to avoid rework)
• Investigate if the module can be configured via OSGi instead of properties file

Improve caching / loading strategy

• Add a new config to activate or deactivate csrf check for guest users. Value by default = deactivated
• Improve the loading strategy / token lifecycle to avoid reloading the script on each page
• Modify CSRF module to include a version number in the Javascript URL
• Change the cache policy to propose an infinite caching (like js in node modules)

Imported from Jira, on Thu Jan 30, 2025
Issue: BACKLOG-23424 in project: DX BACKLOG
Priority: Unspecified Type: Story
Reporter: @romain-pm (Romain Gauthier)
Assignee: None found in Jira, making reporter the assignee in GitHub
Created: Tue Nov 26, 2024, last updated: Fri Nov 29, 2024
Status: Open
Sprint: TTY - Next Week started on Thu Jan 1, 1970
Parent Epic: BACKLOG-23419 - Make Jahia easier to use with a CDN [JIRA] (Delivery)

[jayblanc]

There is 2 branches associated :
The first one can be merged and provide :

• the move of the dummy module inside this one (under tests folder as other jahia modules)
• the ci/cd script to handle tests
• some cypress tests base (partially) on those made in test rails
• the latest CSRFGuard version upgrade (4.4.0) but the minified JS is not included (don't now how to merge it with origin)
• full OSGI configuration of module (no more spring.xml bean config) (a dependency to spring still exists because it uses a Multipart tool from spring lib)
• A specific global config (OSGI) define what was existing in spring bean config (xml) and add a toggle value to disable CSRF for guest users

The second one provide client side optimisation but need a PR on the original CSRF library to be merged before :

• The JS include a ETag when not cache 'forever' client side to avoid at least the network download if the file is the same
• The ETag is exposed to be included somewhere else
• A specific client side config is applied on script when queried using a query param ?tag=
  In the Jahia Module :
• The exposed ETag is injected in the <script> url as ?tag query param
• The patched owasp lib handle the tag to provide a long term (600s) caching to the client

[jayblanc]

I can't link PR or branches from jahia-csrf-guard module to that issue so here are the links :
Pending PR in jahia-csrf-guard module repository :
#101

Branch that will include ETag if PR 327 is merged in origin OWASP csrf module :
https://github.com/Jahia/jahia-csrf-guard/tree/BACKLOG-23424-ETAG

OWASP CSRF module PR :
OWASP/www-project-csrfguard#327

[jahia-ci]

If an issue is attached to a project starting with Team - , it can only be closed if its has a Status of Done

code: INCORRECT_GITHUB_PROJECT_STATUS