Inject a CSRF token into all responses

15f125ac · Felipe D'Abrantes · 006a3ec4 · 15f125ac
Commit 15f125ac authored 2 years ago by Felipe D'Abrantes
--- a/backend-services/feed-service/app/models/actions/AuthenticatedUserAction.scala
+++ b/backend-services/feed-service/app/models/actions/AuthenticatedUserAction.scala
 package models.actions

 import models.actions.AuthenticationRequest
-import play.api.mvc.{ActionBuilder, BodyParsers, Request, Result, AnyContent}

-import scala.concurrent.Future
+import play.api.mvc.{ActionBuilder, BodyParsers, Request, Result, AnyContent, Cookie}
+import play.filters.csrf.CSRF

 import javax.inject.Inject
-import scala.concurrent.ExecutionContext
+import scala.concurrent.{Future, ExecutionContext}


 /**
@@ -17,13 +17,19 @@ class AuthenticatedUserAction @Inject()(authenticationTransformer: Authenticatio
    extends ActionBuilder[AuthenticationRequest, AnyContent] {

    /**
-     * Invoke the main controller block, with the transformations and filtering middleware.
+     * Invoke the main controller block, with the transformations and filtering middleware, and the CSRF token injection.
     *
     * @param request The incoming request.
     * @param block The block of code to invoke.
     * @return A future of the result.
     */
    override def invokeBlock[A](request: Request[A], block: AuthenticationRequest[A] => Future[Result]): Future[Result] = {
-        (authenticationTransformer andThen authenticationFilter).invokeBlock(request, block)
+        val result: Future[Result] = (authenticationTransformer andThen authenticationFilter).invokeBlock(request, block)
+
+        (result).map(_result => {
+            // Add CSRF token to response
+            val token = CSRF.getToken(request).map(_.value).getOrElse("")
+            _result.withHeaders("Csrf-Token" -> token).withCookies(Cookie(name = "PLAY_CSRF_TOKEN", value = token))
+        })
    }
 }