[GitHub] [dolphinscheduler] hdygxsj commented on a diff in pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)

[GitBox <gi...@apache.org>]

hdygxsj commented on code in PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#discussion_r1048170024


##########
dolphinscheduler-ui/src/service/service.ts:
##########
@@ -74,9 +74,12 @@ const err = (err: AxiosError): Promise<AxiosError> => {
 service.interceptors.request.use((config: AxiosRequestConfig<any>) => {
   config.headers && (config.headers.sessionId = userStore.getSessionId)
   const language = cookies.get('language')
+  const sessionId = cookies.get('sessionId')
   config.headers = config.headers || {}
   if (language) config.headers.language = language
-
+  if (sessionId) {
+    config.headers['X-CSRF-TOKEN'] = sessionId.split('').reverse().join('')

Review Comment:
   My current thoughts are as follows,
   1. Use the asymmetric encryption algorithm to encrypt. When the front-end end obtains the sessionId, encrypt it using the public key and store the ciphertext persistently using pinia. When the back-end interceptor receives the X-CSRF-TOKEN, decrypt it with the private key and compare it with the sessionId. This comes at the cost of reducing the throughput of the request.
   2. Or the back end can provide a get api for obtaining a token. The back end generates the token and persists it in the database. However, I feel that the io cost of querying the database should be higher than that of decrypting.
   If the above methods are OK, I can also implement it in this pr



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org