Merge pull request #427 from sebadob/client-secret-from-get-to-post

change the `GET` for a client secret to `POST` for additional CSRF validation
sebadob · May 9, 2024 · 72f077f · 72f077f
2 parents e697389 + 3df611f
commit 72f077f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/frontend/src/utils/dataFetchingAdmin.js b/frontend/src/utils/dataFetchingAdmin.js
@@ -123,8 +123,8 @@ export async function deleteClientLogo(id) {
 
 export async function getClientSecret(id) {
     const res = await fetch(`/auth/v1/clients/${id}/secret`, {
-        method: 'GET',
-        headers: HEADERS,
+        method: 'POST',
+        headers: getHeaders(),
     });
     return await checkRedirectForbidden(res);
 }

diff --git a/rauthy-handlers/src/clients.rs b/rauthy-handlers/src/clients.rs
@@ -86,10 +86,13 @@ pub async fn get_client_by_id(
 
 //github.com/ Returns the secret in cleartext for a given client by its *id*.
 //github.com/
+//github.com/ This is a `POST` request on purpose to do an additional CSRF token check for such a
+//github.com/ sensitive endpoint.
+//github.com/
 //github.com/ **Permissions**
 //github.com/ - rauthy_admin
 #[utoipa::path(
-    get,
+    post,
     path = "/clients/{id}/secret",
     tag = "clients",
     responses(
@@ -100,7 +103,7 @@ pub async fn get_client_by_id(
         (status = 404, description = "NotFound"),
     ),
 )]
-#[get("/clients/{id}/secret")]
+#[post("/clients/{id}/secret")]
 pub async fn get_client_secret(
     data: web::Data<AppState>,
     path: web::Path<String>,