From 75168738adb36d9048e3cc54f06baeffc04311dd Mon Sep 17 00:00:00 2001
From: Reuben Pasquini <reuben@frickjack.com>
Date: Wed, 24 Jan 2018 16:54:01 -0600
Subject: [PATCH] chore(revproxy): add csrf check

csrf cookie-to-header check in the reverse proxy
---
 kube/services/revproxy/00nginx-config.yaml | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/kube/services/revproxy/00nginx-config.yaml b/kube/services/revproxy/00nginx-config.yaml
index 2f3d146e2..d75701ecf 100644
--- a/kube/services/revproxy/00nginx-config.yaml
+++ b/kube/services/revproxy/00nginx-config.yaml
@@ -39,8 +39,7 @@ data:
       
       	##
       	# Logging Settings
-      	##
-      
+      	##      
       	access_log /dev/stdout;
       	error_log /dev/stderr;
       
@@ -67,6 +66,21 @@ data:
           if ($cookie_access_token) {
               set $access_token "Bearer $cookie_access_token";
           }
+          
+          #
+          # CSRF check
+          # This block requires a csrftoken for all POST requests.
+          #
+          set $csrf_check "fail";
+          if ($cookie_csrftoken = $http_x_csrf_token) {
+            set $csrf_check "ok-$cookie_csrftoken";
+          }
+          if ($request_method != "POST") {
+            set $csrf_check "ok-$request_method";
+          }
+          if ($csrf_check !~ ^ok-\S.+$) {
+            return 403 "failed csrf check";
+          }
 
           #
           # Note - need to repeat this line in location blocks that call proxy_set_header,