fix(core): improve CSRF handling and URL validation in session actions

[hgw77]

Summary

Fixes intermittent CSRF token validation errors on the "Sync Password" flow by skipping CSRF verification for login endpoints, and adds consistent safe_redirect_url? validation to prevent open redirect vulnerabilities.

Problem

Users clicking "Sync Password" in their profile intermittently encountered a "Can't verify CSRF token authenticity" error (HTTP 422). The issue only affected the "Sync Password" flow (users with existing sessions), not fresh logins.

Root Cause

When a user with an existing session visits the login page, AuthSession.logout() calls reset_session() plugins/monsoon-openstack-auth/app/controllers/monsoon_openstack_auth/sessions_controller.rb:

def reset_session(controller)
  token_store = token_store(controller)
  return unless token_store        # ← Returns early if no session (fresh login)

  dump = token_store.dump          # Save OpenStack tokens
  controller.send('reset_session') # Clears session INCLUDING CSRF token
  token_store.restore(dump)        # Restores OpenStack tokens, NOT CSRF token
end

The flow:

1. Fresh login (no session): token_store returns nil → reset_session returns early → CSRF works ✅
2. Sync Password (has session): reset_session runs fully → new session ID created → new CSRF token generated → but due to session management complexity (ActiveRecord store, domain-scoped cookie paths), the token can become invalid between form render and submit ❌

Solution

1. Skip CSRF verification for login actions (create, consume_auth_token, check_passcode)

   • Login forms don't have an authenticated session to protect
   • Same-origin policy prevents cross-site form submissions
   • This is a common pattern for login endpoints in Rails applications

2. Add safe_redirect_url? validation to create, check_passcode, and destroy actions

   • Prevents open redirect vulnerabilities
   • Only allows relative URLs or same-host URLs
   • Already used in consume_auth_token, now applied consistently

Changes Made

• Add skip_before_action :verify_authenticity_token for login-related actions
• Apply safe_redirect_url? validation to after_login and redirect_to parameters in all actions
• Make host comparison case-insensitive in safe_redirect_url?

Flow Diagram

FRESH LOGIN (no session)                 SYNC PASSWORD (has session)
        │                                         │
        ▼                                         ▼
  reset_session()                           reset_session()
        │                                         │
        ▼                                         ▼
  token_store = nil                         token_store exists
        │                                         │
        ▼                                         ▼
  return early ◄─ NO RESET                  controller.reset_session
        │                                         │
        ▼                                         ▼
  Form + CSRF token                         NEW session + NEW CSRF token
        │                                         ▼
        ▼                                   Session management complexity
  Submit → Token matches ✅                 (ActiveRecord store, cookie paths)
                                                  │
                                                  ▼
                                            Submit → Token may not match ❌

Related Issues

• Could fix Issue: [Bug](auth): Password sync leads to "Argument Error" page #1813

Checklist

• I have performed a self-review of my code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have made corresponding changes to the documentation (if applicable).
• My changes generate no new warnings or errors.

In general, the fix is to stop skipping CSRF protection on these actions and instead address the underlying “intermittent CSRF failures” by preserving or regenerating tokens correctly and/or by only relaxing CSRF on truly safe, idempotent endpoints (like a pure GET callback that simply redirects using a one‑time token). We want to maintain Rails’ verify_authenticity_token behavior for state‑changing actions while keeping the existing login/session flows working.

Best targeted fix without changing functional behavior more than necessary:

1. Restore CSRF protection for create and check_passcode, which are clearly state‑changing login/2FA actions using regular form posts. These should not bypass CSRF.
2. Allow consume_auth_token to remain exempt (if it must handle GET redirects with query tokens), but explicitly document that its auth_token is treated as a high‑entropy, single‑use secret. That narrows the exemption to the one action that plausibly needs it.
3. This is achieved purely by tightening the skip_before_action filter so that it only applies to :consume_auth_token.

Concretely:

• In plugins/monsoon-openstack-auth/app/controllers/monsoon_openstack_auth/sessions_controller.rb, on the line with skip_before_action :verify_authenticity_token, only: %i[create consume_auth_token check_passcode], change the only: list to [:consume_auth_token] (or %i[consume_auth_token]), leaving everything else intact.
• No new methods or imports are required; we are simply re‑enabling the default Rails CSRF protection on create and check_passcode.

---