CSRF XSRF - problem with reading token from cookie


#1

I have developed REST API, and two JavaScript clients (Single Page App & native app - based on electron). In both clients my users are authenticating via OAuth2 flow:

  1. sends user-password to server
  2. gets access_token (in plain text) and refresh_token (in httponly cookie)
  3. when token expires they are refreshing it sending request to /refresh endpoint (server reads refresh_token from cookie)

Now I would like to implement csrf protection. So I added it on my back-end side (Spring):

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
            .authorizeRequests().antMatchers("/", "/index.html", "/token/**").permitAll()
            .anyRequest().authenticated();
}

My SPA works perfectly, angular reads XSRF-TOKEN from cookie and sends it in X-XSRF-TOKEN header. I got problem with electron app. It doesn’t have access to cookie (because of different origin - electron is running on file:// url), so it is unable to set X-XSRF-TOKEN header.

How can I deal with it? Is there any way to instatiate “cross-origin” cookie (specify domains which can read cookie)? Or maybe I can somehow take the cookie value via electron magic electron API (if it has access to file-system, maybe it have access to any cookie which is created on the machine)? Or I can somehow implement proxy inside my electron app?


#2

I have also placed question on stackoverflow, so feel free to add answer there if you more prefer: