XSRF works withUI

MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/phone_operations_http.js

@@ -4,19 +4,28 @@ import socket from "./httpDomainName";
 // make sure the backend has the cookie to
 export async function createEndpointHttpEeq(inputForm = {}) {
   // returns a promise we use await to get the response body using JSON()
-  const response = await fetch(`${socket}/cezen/add_user`, {
+  console.log("XSRF entry 2");
-    method: "POST",
+  const xsrf = await fetch(`${socket}/user/getXSRfToken`, {
-    body: JSON.stringify(inputForm),
+    method: "GET",
+    //body: JSON.stringify(inputForm),
     credentials: "include", //This sends cookies (even HTTP-only ones)
-    headers: {
-      "content-type": "application/json",
-    },
   });
+  // const xsrf_json_resp = await xsrf.json();
+  console.log(xsrf);
 
-  const resData = await response.json();
+  // const response = await fetch(`${socket}/cezen/add_user`, {
+  //   method: "POST",
+  //   body: JSON.stringify(inputForm),
+  //   credentials: "include", //This sends cookies (even HTTP-only ones)
+  //   headers: {
+  //     "content-type": "application/json",
+  //   },
+  // });
 
-  console.log("response data from sip");
+  // const resData = await response.json();
-  console.log(resData);
 
-  return resData;
+  // console.log("response data from sip");
+  // console.log(resData);
+
+  return null;
 }

MySQL_conf_pbx/test1/reactcezenpbx/src/http_routs/userHttp.js

@@ -1,4 +1,5 @@
 import socket from "./httpDomainName";
+import { createEndpointHttpEeq } from "./phone_operations_http";
 
 /**
  * this is used to send the data collected from
@@ -84,6 +85,8 @@ class authenticationBuilder {
       credentials: "include", // <-- VERY IMPORTANT to get the JWT cookie from the backend
     });
 
+    //createEndpointHttpEeq();
+
     const resData = await loginResp.json();
 
     console.log("response data");

MySQL_conf_pbx/test1/reactcezenpbx/vite.config.js

@@ -1,7 +1,7 @@
-import { defineConfig } from 'vite'
+import { defineConfig } from "vite";
-import react from '@vitejs/plugin-react'
+import react from "@vitejs/plugin-react";
 
 // https://vite.dev/config/
 export default defineConfig({
   plugins: [react()],
-})
+});

MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/config/CezenLoginSecurityChain.java

@@ -68,7 +68,7 @@ public class CezenLoginSecurityChain {
                //.csrf(AbstractHttpConfigurer::disable)
                .csrf((csrf) ->
                        csrf.csrfTokenRequestHandler(requestHandler).
-                               ignoringRequestMatchers("/open/signup","/open/login","/user/getXSRfToken")
+                               ignoringRequestMatchers("/open/signup","/user/getXSRfToken")
                        //.csrfTokenRepository(new CookieCsrfTokenRepository())
                        .csrfTokenRepository(cookieCsrfTokenRepo)
                )
@@ -90,10 +90,9 @@ public class CezenLoginSecurityChain {
                                 "/cezen/add_extension"
                         ).hasAnyRole("admin")
                         //any one who is authenticated can access /logout
-                        .requestMatchers("/open/login", "/user/getXSRfToken", "/logout").authenticated()
+                        .requestMatchers("/user/getXSRfToken", "/logout").authenticated()
                         //all the rest are open to public
-                        .requestMatchers("/open/signup").permitAll()
+                        .requestMatchers("/open/signup", "/open/login").permitAll()
-                        //.requestMatchers(HttpMethod.POST, "/open/**").permitAll()
                 )
                 // redirect to /login if the user is not authenticated  Customizer.withDefaults() enables a security feature using the defaults provided by Spring Security
                 .formLogin(Customizer.withDefaults())

MySQL_conf_pbx/test1/springCezenPBX/src/main/java/com/example/cezenPBX/security/JWTTokenGeneratorFilter.java

@@ -8,6 +8,8 @@ import jakarta.servlet.ServletException;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.http.ResponseCookie;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -47,13 +49,16 @@ public class JWTTokenGeneratorFilter extends OncePerRequestFilter {
             //SecurityConstants.JWT_HEADER, in the Constants SecurityConstants folder
             //response.setHeader(SecurityConstants.JWT_HEADER, jwt);
             //uncomment for cookie based saving
-            Cookie cookie = new Cookie(SecurityConstants.JWT_HEADER,jwt);
+            ResponseCookie jwtCookie = ResponseCookie.from(SecurityConstants.JWT_HEADER, jwt)
-            cookie.setHttpOnly(true);
+                .httpOnly(true)
-            cookie.setSecure(false);
+                .secure(true) // set to true if HTTPS
-            cookie.setPath("/");
+                .path("/")
-            response.addCookie(cookie);
+                .sameSite("None") // or "None" if your frontend is on another port/origin
-            System.out.println("JWT Generated");
+                .maxAge(60 * 60) // 1 hour
-        }
+                .build();
+
+                response.addHeader("Set-Cookie", jwtCookie.toString());
+            }
         System.out.println("Intercepted");
 
         System.out.println(response.getHeader("X-XSRF-TOKEN"));