fix(admin): resolve Medium code-review finding (Admin-006)

Emit <AntiforgeryToken /> in the MainLayout sign-out form and remove .DisableAntiforgery() from the /auth/logout endpoint so UseAntiforgery() validates the token. A tokenless POST now returns 400, preventing CSRF-logout. Regression-guarded by AuthEndpointsTests.Logout_without_antiforgery_token_is_rejected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 07:26:34 -04:00
parent 55c2a5a209
commit af454c6af6
4 changed files with 21 additions and 11 deletions
--- a/code-reviews/Admin/findings.md
+++ b/code-reviews/Admin/findings.md
@@ -108,13 +108,13 @@
 | Severity | Medium |
 | Category | Security |
 | Location | `Components/Layout/MainLayout.razor:47-49`, `Program.cs:129,131-135` |
-| Status | Open |
+| Status | Resolved |

 **Description:** `app.UseAntiforgery()` is enabled, but the Sign-out form (`<form method="post" action="/auth/logout">`) renders no antiforgery token, and the `MapPost("/auth/logout", ...)` endpoint does not call `.DisableAntiforgery()` or otherwise opt out. Depending on framework version this either makes logout fail with a 400 for legitimate users, or — if the endpoint is treated as exempt — leaves logout as an unprotected state-changing POST (CSRF logout). The same concern applies to the login form once Admin-005 is addressed.

 **Recommendation:** Emit an antiforgery token in the logout form and let `UseAntiforgery()` validate it; or explicitly and deliberately mark the endpoint `.DisableAntiforgery()` if a tokenless logout is intended. Verify login/logout round-trips after the change.

-**Resolution:** _(open)_
+**Resolution:** Resolved 2026-05-22 — `<AntiforgeryToken />` added to the sign-out form in `MainLayout.razor` and `.DisableAntiforgery()` removed from the `/auth/logout` endpoint so `UseAntiforgery()` validates the token; a tokenless POST now returns 400, preventing CSRF-logout. The login endpoint retains `.DisableAntiforgery()` (login is not a state-changing operation CSRF can abuse). `AuthEndpointsTests.Logout_without_antiforgery_token_is_rejected` regression-guards this.

 ### Admin-007

--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor
@@ -45,6 +45,7 @@
                            .Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))
                    </div>
                    <form method="post" action="/auth/logout">
+                        <AntiforgeryToken />
                        <button class="rail-btn" type="submit">Sign out</button>
                    </form>
                </Authorized>
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/AuthEndpoints.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/AuthEndpoints.cs
@@ -21,15 +21,21 @@ public static class AuthEndpoints
    public static IEndpointRouteBuilder MapAuthEndpoints(this IEndpointRouteBuilder endpoints)
    {
        // Anonymous: the login POST is the only way in, so the fallback authorization policy
-        // (Admin-001) must not gate it. DisableAntiforgery — the static form posts with
-        // data-enhance="false" and renders no token; the cookie scheme + LDAP bind are the
-        // gate here. (Admin-006 covers emitting a token for a hardened build.)
+        // (Admin-001) must not gate it. DisableAntiforgery — the static Login.razor form posts
+        // with data-enhance="false" and renders no antiforgery token; the cookie scheme + LDAP
+        // bind are the authentication gate here. Login is not a state-changing operation that
+        // CSRF can abuse (the attacker cannot know the resulting cookie), so tokenless-login is
+        // the standard Web pattern.
        endpoints.MapPost("/auth/login", (Delegate)LoginAsync)
            .AllowAnonymous()
            .DisableAntiforgery();

-        endpoints.MapPost("/auth/logout", (Delegate)LogoutAsync)
-            .DisableAntiforgery();
+        // Admin-006: the logout form in MainLayout.razor emits <AntiforgeryToken /> so the
+        // middleware validates the token. This prevents a cross-site logout (CSRF-logout) where
+        // an attacker tricks the operator's browser into posting to /auth/logout. The endpoint
+        // intentionally does NOT call .DisableAntiforgery() — the token must be present and
+        // valid; the middleware rejects forged or missing tokens with 400.
+        endpoints.MapPost("/auth/logout", (Delegate)LogoutAsync);

        return endpoints;
    }
--- a/tests/Server/ZB.MOM.WW.OtOpcUa.Admin.Tests/AuthEndpointsTests.cs
+++ b/tests/Server/ZB.MOM.WW.OtOpcUa.Admin.Tests/AuthEndpointsTests.cs
@@ -148,16 +148,19 @@ public sealed class AuthEndpointsTests : IClassFixture<AuthEndpointsTests.Stubbe
    }

    [Fact]
-    public async Task Logout_endpoint_clears_the_cookie_and_redirects_to_login()
+    public async Task Logout_without_antiforgery_token_is_rejected()
    {
+        // Admin-006: the logout endpoint no longer calls .DisableAntiforgery(), so the
+        // UseAntiforgery() middleware must reject a POST that carries no token with 400.
+        // This regression guards against CSRF-logout (attacker tricking the browser into
+        // signing the operator out by posting to /auth/logout from a foreign origin).
        using var client = _factory.CreateNonRedirectingClient();

        var response = await client.PostAsync("/auth/logout",
            new FormUrlEncodedContent(Array.Empty<KeyValuePair<string, string>>()));

-        // No antiforgery 400 — the endpoint opts out (Admin-006 note in AuthEndpoints).
-        response.StatusCode.ShouldBeOneOf(HttpStatusCode.Redirect, HttpStatusCode.Found);
-        response.Headers.Location!.OriginalString.ShouldContain("/login");
+        response.StatusCode.ShouldBe(HttpStatusCode.BadRequest,
+            "/auth/logout without an antiforgery token must be rejected (Admin-006)");
    }

    // ── Admin-003: SignalR hubs reject anonymous connections ────────────────────