Turn on CSRF protection.

[markpatton]

Turns on CSRF protection using cookies and headers. Responses from the API will set a cookie XSRF-TOKEN and non-GET requests from the client must set the header X-XSRF-TOKEN with the value of the cookie. GET requests to the /doi service are also protected because they have side effects.

In addition the integration tests have been refactored to handle the CSRF token and do a little more testing.

By default CSRF protection requires a POST to to /logout. This is disabled for now because the a POST to that endpoint with the header set returns a login form with a CSRF token hidden in the form. Submitting that form does do the logout. The format of the token in the in the form is different from the cookie. In addition doing a POST to /logout will initiate the SAML logout process. The complications don't seem to make protecting /logout worthwhile at the moment.

Clients can user any CSRF token they want. The cookie and header just must be consistent.

Required prs:

• Add support for CSRF tokens to pass-data-client pass-support#116
• Handle CSRF tokens pass-ui#1276
• Add CSRF token to loader pass-docker#375

Acceptance tests pass, but require the updated pass-core and pass-support images running in the updated pass-docker.

[rpoet-jh]

Great job, Mark! The spring security configuration looks like it pretty much matches what is in the docs for SPA CSRF which is good. I only had a few minor comments.

The question re: what to do about what to do about requests coming from the backend user (stateless basic auth) and CSRF, I will do some more reading on this, but we can also talk about this if you want to try and come to a reasonable decision.

[rpoet-jh]

I'm ready to approve, but I know there are still some pending issues on the UI/tests side. I will approve once those issue have been fixed jic there are changes need in pass-core.