Allow disabling xsrf protection per an endpoint

docs/development/core/server/kibana-plugin-server.routeconfigoptions.md

@@ -19,4 +19,5 @@ export interface RouteConfigOptions<Method extends RouteMethod>
 |  [authRequired](./kibana-plugin-server.routeconfigoptions.authrequired.md) | <code>boolean</code> | A flag shows that authentication for a route: <code>enabled</code> when true <code>disabled</code> when false<!-- -->Enabled by default. |
 |  [body](./kibana-plugin-server.routeconfigoptions.body.md) | <code>Method extends 'get' &#124; 'options' ? undefined : RouteConfigOptionsBody</code> | Additional body options [RouteConfigOptionsBody](./kibana-plugin-server.routeconfigoptionsbody.md)<!-- -->. |
 |  [tags](./kibana-plugin-server.routeconfigoptions.tags.md) | <code>readonly string[]</code> | Additional metadata tag strings to attach to the route. |
+|  [xsrfRequired](./kibana-plugin-server.routeconfigoptions.xsrfrequired.md) | <code>boolean</code> | Defines xsrf protection requirements for a route: - true. Requires an incoming request to contain <code>kbn-xsrf</code> header. - false. Disables xsrf protection.<!-- -->Set to true by default |
 

docs/development/core/server/kibana-plugin-server.routeconfigoptions.xsrfrequired.md

@@ -0,0 +1,15 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [RouteConfigOptions](./kibana-plugin-server.routeconfigoptions.md) &gt; [xsrfRequired](./kibana-plugin-server.routeconfigoptions.xsrfrequired.md)
+
+## RouteConfigOptions.xsrfRequired property
+
+Defines xsrf protection requirements for a route: - true. Requires an incoming request to contain `kbn-xsrf` header. - false. Disables xsrf protection.
+
+Set to true by default
+
+<b>Signature:</b>
+
+```typescript
+xsrfRequired?: boolean;
+```

src/core/server/config/deprecation/core_deprecations.test.ts

@@ -81,6 +81,19 @@ describe('core deprecations', () => {
     });
   });
 
+  describe('xsrfDeprecation', () => {
+    it('logs a warning if server.xsrf.whitelist is set', () => {
+      const { messages } = applyCoreDeprecations({
+        server: { xsrf: { whitelist: ['/path'] } },
+      });
+      expect(messages).toMatchInlineSnapshot(`
+        Array [
+          "It is not recommended to disable xsrf protections for API endpoints via [server.xsrf.whitelist].It will be removed in 8.0 release. Instead, supply the \\"kbn-xsrf\\" header.",
+        ]
+      `);
+    });
+  });
+
   describe('rewriteBasePath', () => {
     it('logs a warning is server.basePath is set and server.rewriteBasePath is not', () => {
       const { messages } = applyCoreDeprecations({

src/core/server/config/deprecation/core_deprecations.ts

@@ -38,6 +38,16 @@ const dataPathDeprecation: ConfigDeprecation = (settings, fromPath, log) => {
   return settings;
 };
 
+const xsrfDeprecation: ConfigDeprecation = (settings, fromPath, log) => {
+  if (has(settings, 'server.xsrf.whitelist')) {
+    log(
+      'It is not recommended to disable xsrf protections for API endpoints via [server.xsrf.whitelist].' +
+        'It will be removed in 8.0 release. Instead, supply the "kbn-xsrf" header.'
+    );
+  }
+  return settings;
+};
+
 const rewriteBasePathDeprecation: ConfigDeprecation = (settings, fromPath, log) => {
   if (has(settings, 'server.basePath') && !has(settings, 'server.rewriteBasePath')) {
     log(
@@ -177,4 +187,5 @@ export const coreDeprecationProvider: ConfigDeprecationProvider = ({
   rewriteBasePathDeprecation,
   cspRulesDeprecation,
   mapManifestServiceUrlDeprecation,
+  xsrfDeprecation,
 ];

src/core/server/http/http_server.mocks.ts

@@ -29,6 +29,7 @@ import {
   RouteMethod,
   KibanaResponseFactory,
   RouteValidationSpec,
+  KibanaRouteState,
 } from './router';
 import { OnPreResponseToolkit } from './lifecycle/on_pre_response';
 import { OnPostAuthToolkit } from './lifecycle/on_post_auth';
@@ -43,6 +44,7 @@ interface RequestFixtureOptions<P = any, Q = any, B = any> {
   method?: RouteMethod;
   socket?: Socket;
   routeTags?: string[];
+  kibanaRouteState?: KibanaRouteState;
   validation?: {
     params?: RouteValidationSpec<P>;
     query?: RouteValidationSpec<Q>;
@@ -60,11 +62,13 @@ function createKibanaRequestMock<P = any, Q = any, B = any>({
   socket = new Socket(),
   routeTags,
   validation = {},
+  kibanaRouteState = { xsrfRequired: true },
 }: RequestFixtureOptions<P, Q, B> = {}) {
   const queryString = stringify(query, { sort: false });
 
   return KibanaRequest.from<P, Q, B>(
     createRawRequestMock({
+      app: kibanaRouteState,
       headers,
       params,
       query,
@@ -105,6 +109,7 @@ function createRawRequestMock(customization: DeepPartial<Request> = {}) {
   return merge(
     {},
     {
+      app: { xsrfRequired: true } as any,
       headers: {},
       path: '/',
       route: { settings: {} },

src/core/server/http/http_server.ts

@@ -27,7 +27,7 @@ import { adoptToHapiOnPostAuthFormat, OnPostAuthHandler } from './lifecycle/on_p
 import { adoptToHapiOnPreAuthFormat, OnPreAuthHandler } from './lifecycle/on_pre_auth';
 import { adoptToHapiOnPreResponseFormat, OnPreResponseHandler } from './lifecycle/on_pre_response';
 
-import { IRouter } from './router';
+import { IRouter, KibanaRouteState } from './router';
 import {
   SessionStorageCookieOptions,
   createCookieSessionStorageFactory,
@@ -148,15 +148,18 @@ export class HttpServer {
         this.log.debug(`registering route handler for [${route.path}]`);
         // Hapi does not allow payload validation to be specified for 'head' or 'get' requests
         const validate = ['head', 'get'].includes(route.method) ? undefined : { payload: true };
-        const { authRequired = true, tags, body = {} } = route.options;
+        const { authRequired = true, tags, body = {}, xsrfRequired = true } = route.options;
         const { accepts: allow, maxBytes, output, parse } = body;
+        const kibanaRouteState: KibanaRouteState = { xsrfRequired };
+
         this.server.route({
           handler: route.handler,
           method: route.method,
           path: route.path,
           options: {
             // Enforcing the comparison with true because plugins could overwrite the auth strategy by doing `options: { authRequired: authStrategy as any }`
             auth: authRequired === true ? undefined : false,
+            app: kibanaRouteState,
             tags: tags ? Array.from(tags) : undefined,
             // TODO: This 'validate' section can be removed once the legacy platform is completely removed.
             // We are telling Hapi that NP routes can accept any payload, so that it can bypass the default

src/core/server/http/integration_tests/lifecycle_handlers.test.ts

@@ -36,6 +36,7 @@ const versionHeader = 'kbn-version';
 const xsrfHeader = 'kbn-xsrf';
 const nameHeader = 'kbn-name';
 const whitelistedTestPath = '/xsrf/test/route/whitelisted';
+const xsrfDisabledTestPath = '/xsrf/test/route/disabled';
 const kibanaName = 'my-kibana-name';
 const setupDeps = {
   context: contextServiceMock.createSetupContract(),
@@ -188,6 +189,12 @@ describe('core lifecycle handlers', () => {
             return res.ok({ body: 'ok' });
           }
         );
+        ((router as any)[method.toLowerCase()] as RouteRegistrar<any>)<any, any, any>(
+          { path: xsrfDisabledTestPath, validate: false, options: { xsrfRequired: false } },
+          (context, req, res) => {
+            return res.ok({ body: 'ok' });
+          }
+        );
       });
 
       await server.start();
@@ -235,6 +242,10 @@ describe('core lifecycle handlers', () => {
         it('accepts whitelisted requests without either an xsrf or version header', async () => {
           await getSupertest(method.toLowerCase(), whitelistedTestPath).expect(200, 'ok');
         });
+
+        it('accepts requests on a route with disabled xsrf protection', async () => {
+          await getSupertest(method.toLowerCase(), whitelistedTestPath).expect(200, 'ok');
+        });
       });
     });
   });

src/core/server/http/lifecycle_handlers.test.ts

@@ -24,20 +24,22 @@ import {
 } from './lifecycle_handlers';
 import { httpServerMock } from './http_server.mocks';
 import { HttpConfig } from './http_config';
-import { KibanaRequest, RouteMethod } from './router';
+import { KibanaRequest, RouteMethod, KibanaRouteState } from './router';
 
 const createConfig = (partial: Partial<HttpConfig>): HttpConfig => partial as HttpConfig;
 
 const forgeRequest = ({
   headers = {},
   path = '/',
   method = 'get',
+  kibanaRouteState,
 }: Partial<{
   headers: Record<string, string>;
   path: string;
   method: RouteMethod;
+  kibanaRouteState: KibanaRouteState;
 }>): KibanaRequest => {
-  return httpServerMock.createKibanaRequest({ headers, path, method });
+  return httpServerMock.createKibanaRequest({ headers, path, method, kibanaRouteState });
 };
 
 describe('xsrf post-auth handler', () => {
@@ -142,6 +144,29 @@ describe('xsrf post-auth handler', () => {
       expect(toolkit.next).toHaveBeenCalledTimes(1);
       expect(result).toEqual('next');
     });
+
+    it('accepts requests if xsrf protection on a route is disabled', () => {
+      const config = createConfig({
+        xsrf: { whitelist: [], disableProtection: false },
+      });
+      const handler = createXsrfPostAuthHandler(config);
+      const request = forgeRequest({
+        method: 'post',
+        headers: {},
+        path: '/some-path',
+        kibanaRouteState: {
+          xsrfRequired: false,
+        },
+      });
+
+      toolkit.next.mockReturnValue('next' as any);
+
+      const result = handler(request, responseFactory, toolkit);
+
+      expect(responseFactory.badRequest).not.toHaveBeenCalled();
+      expect(toolkit.next).toHaveBeenCalledTimes(1);
+      expect(result).toEqual('next');
+    });
   });
 });
 

src/core/server/http/lifecycle_handlers.ts

@@ -31,7 +31,11 @@ export const createXsrfPostAuthHandler = (config: HttpConfig): OnPostAuthHandler
   const { whitelist, disableProtection } = config.xsrf;
 
   return (request, response, toolkit) => {
-    if (disableProtection || whitelist.includes(request.route.path)) {
+    if (
+      disableProtection ||
+      whitelist.includes(request.route.path) ||
+      request.route.options.xsrfRequired === false
+    ) {
       return toolkit.next();
     }
 

src/core/server/http/router/index.ts

@@ -24,6 +24,7 @@ export {
   KibanaRequestEvents,
   KibanaRequestRoute,
   KibanaRequestRouteOptions,
+  KibanaRouteState,
   isRealRequest,
   LegacyRequest,
   ensureRawRequest,

src/core/server/http/router/request.ts

@@ -18,7 +18,7 @@
  */
 
 import { Url } from 'url';
-import { Request } from 'hapi';
+import { Request, ApplicationState } from 'hapi';
 import { Observable, fromEvent, merge } from 'rxjs';
 import { shareReplay, first, takeUntil } from 'rxjs/operators';
 
@@ -30,6 +30,12 @@ import { RouteValidator, RouteValidatorFullConfig } from './validator';
 
 const requestSymbol = Symbol('request');
 
+/**
+ * @internal
+ */
+export interface KibanaRouteState extends ApplicationState {
+  xsrfRequired: boolean;
+}
 /**
  * Route options: If 'GET' or 'OPTIONS' method, body options won't be returned.
  * @public
@@ -184,6 +190,8 @@ export class KibanaRequest<
 
     const options = ({
       authRequired: request.route.settings.auth !== false,
+      // some places in LP call KibanaRequest.from(request) manually. remove fallback to true before v8
+      xsrfRequired: (request.app as KibanaRouteState)?.xsrfRequired || true,
       tags: request.route.settings.tags || [],
       body: ['get', 'options'].includes(method)
         ? undefined

src/core/server/http/router/route.ts

@@ -108,6 +108,15 @@ export interface RouteConfigOptions<Method extends RouteMethod> {
    */
   authRequired?: boolean;
 
+  /**
+   * Defines xsrf protection requirements for a route:
+   * - true. Requires an incoming request to contain `kbn-xsrf` header.
+   * - false. Disables xsrf protection.
+   *
+   * Set to true by default
+   */
+  xsrfRequired?: boolean;
+
   /**
    * Additional metadata tag strings to attach to the route.
    */

src/core/server/server.api.md

@@ -1397,6 +1397,7 @@ export interface RouteConfigOptions<Method extends RouteMethod> {
     authRequired?: boolean;
     body?: Method extends 'get' | 'options' ? undefined : RouteConfigOptionsBody;
     tags?: readonly string[];
+    xsrfRequired?: boolean;
 }
 
 // @public