From c8575e0b119b932ce7f317d4878617459dcecd89 Mon Sep 17 00:00:00 2001
From: MathewFrancis <mathewfvv@gmail.com>
Date: Tue, 10 Jun 2025 16:32:22 +0530
Subject: [PATCH] XSRF works withUI

---
 .../src/http_routs/phone_operations_http.js   | 29 ++++++++++++-------
 .../reactcezenpbx/src/http_routs/userHttp.js  |  3 ++
 .../test1/reactcezenpbx/vite.config.js        |  6 ++--
 .../config/CezenLoginSecurityChain.java       |  7 ++---
 .../security/JWTTokenGeneratorFilter.java     | 19 +++++++-----
 5 files changed, 40 insertions(+), 24 deletions(-)

diff --git a/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/phone_operations_http.js b/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/phone_operations_http.js
index 4cc41c1..e6a9729 100644
--- a/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/phone_operations_http.js
+++ b/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/phone_operations_http.js
@@ -4,19 +4,28 @@ import socket from "./httpDomainName";
 // make sure the backend has the cookie to
 export async function createEndpointHttpEeq(inputForm = {}) {
   // returns a promise we use await to get the response body using JSON()
-  const response = await fetch(`${socket}/cezen/add_user`, {
-    method: "POST",
-    body: JSON.stringify(inputForm),
+  console.log("XSRF entry 2");
+  const xsrf = await fetch(`${socket}/user/getXSRfToken`, {
+    method: "GET",
+    //body: JSON.stringify(inputForm),
     credentials: "include", //This sends cookies (even HTTP-only ones)
-    headers: {
-      "content-type": "application/json",
-    },
   });
+  // const xsrf_json_resp = await xsrf.json();
+  console.log(xsrf);
 
-  const resData = await response.json();
+  // const response = await fetch(`${socket}/cezen/add_user`, {
+  //   method: "POST",
+  //   body: JSON.stringify(inputForm),
+  //   credentials: "include", //This sends cookies (even HTTP-only ones)
+  //   headers: {
+  //     "content-type": "application/json",
+  //   },
+  // });
 
-  console.log("response data from sip");
-  console.log(resData);
+  // const resData = await response.json();
 
-  return resData;
+  // console.log("response data from sip");
+  // console.log(resData);
+
+  return null;
 }
diff --git a/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/userHttp.js b/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/userHttp.js
index 796c4c6..b2be015 100755
--- a/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/userHttp.js
+++ b/MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/userHttp.js
@@ -1,4 +1,5 @@
 import socket from "./httpDomainName";
+import { createEndpointHttpEeq } from "./phone_operations_http";
 
 /**
  * this is used to send the data collected from
@@ -84,6 +85,8 @@ class authenticationBuilder {
       credentials: "include", // <-- VERY IMPORTANT to get the JWT cookie from the backend
     });
 
+    //createEndpointHttpEeq();
+
     const resData = await loginResp.json();
 
     console.log("response data");
diff --git a/MySQL_conf_pbx/test1/reactcezenpbx/vite.config.js b/MySQL_conf_pbx/test1/reactcezenpbx/vite.config.js
index 8b0f57b..0e43ae8 100755
--- a/MySQL_conf_pbx/test1/reactcezenpbx/vite.config.js
+++ b/MySQL_conf_pbx/test1/reactcezenpbx/vite.config.js
@@ -1,7 +1,7 @@
-import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import { defineConfig } from "vite";
+import react from "@vitejs/plugin-react";
 
 // https://vite.dev/config/
 export default defineConfig({
   plugins: [react()],
-})
+});
diff --git a/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/config/CezenLoginSecurityChain.java b/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/config/CezenLoginSecurityChain.java
index 6831ab3..faf70c6 100755
--- a/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/config/CezenLoginSecurityChain.java
+++ b/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/config/CezenLoginSecurityChain.java
@@ -68,7 +68,7 @@ public class CezenLoginSecurityChain {
                //.csrf(AbstractHttpConfigurer::disable)
                .csrf((csrf) ->
                        csrf.csrfTokenRequestHandler(requestHandler).
-                               ignoringRequestMatchers("/open/signup","/open/login","/user/getXSRfToken")
+                               ignoringRequestMatchers("/open/signup","/user/getXSRfToken")
                        //.csrfTokenRepository(new CookieCsrfTokenRepository())
                        .csrfTokenRepository(cookieCsrfTokenRepo)
                )
@@ -90,10 +90,9 @@ public class CezenLoginSecurityChain {
                                 "/cezen/add_extension"
                         ).hasAnyRole("admin")
                         //any one who is authenticated can access /logout
-                        .requestMatchers("/open/login", "/user/getXSRfToken", "/logout").authenticated()
+                        .requestMatchers("/user/getXSRfToken", "/logout").authenticated()
                         //all the rest are open to public
-                        .requestMatchers("/open/signup").permitAll()
-                        //.requestMatchers(HttpMethod.POST, "/open/**").permitAll()
+                        .requestMatchers("/open/signup", "/open/login").permitAll()
                 )
                 // redirect to /login if the user is not authenticated  Customizer.withDefaults() enables a security feature using the defaults provided by Spring Security
                 .formLogin(Customizer.withDefaults())
diff --git a/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/security/JWTTokenGeneratorFilter.java b/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/security/JWTTokenGeneratorFilter.java
index 03d1b7d..bcc9849 100755
--- a/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/security/JWTTokenGeneratorFilter.java
+++ b/MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/security/JWTTokenGeneratorFilter.java
@@ -8,6 +8,8 @@ import jakarta.servlet.ServletException;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.http.ResponseCookie;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -47,13 +49,16 @@ public class JWTTokenGeneratorFilter extends OncePerRequestFilter {
             //SecurityConstants.JWT_HEADER, in the Constants SecurityConstants folder
             //response.setHeader(SecurityConstants.JWT_HEADER, jwt);
             //uncomment for cookie based saving
-            Cookie cookie = new Cookie(SecurityConstants.JWT_HEADER,jwt);
-            cookie.setHttpOnly(true);
-            cookie.setSecure(false);
-            cookie.setPath("/");
-            response.addCookie(cookie);
-            System.out.println("JWT Generated");
-        }
+            ResponseCookie jwtCookie = ResponseCookie.from(SecurityConstants.JWT_HEADER, jwt)
+                .httpOnly(true)
+                .secure(true) // set to true if HTTPS
+                .path("/")
+                .sameSite("None") // or "None" if your frontend is on another port/origin
+                .maxAge(60 * 60) // 1 hour
+                .build();
+
+                response.addHeader("Set-Cookie", jwtCookie.toString());
+            }
         System.out.println("Intercepted");
 
         System.out.println(response.getHeader("X-XSRF-TOKEN"));