Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite OCS CSRF check to be readable #39125

Merged
merged 1 commit into from
Aug 16, 2023
Merged

Rewrite OCS CSRF check to be readable #39125

merged 1 commit into from
Aug 16, 2023

Conversation

provokateurin
Copy link
Member

Summary

Previous code was unreadable and every time I come across it I had to read it multiple times to understand what it does. Should be much clearer now (at least it is to me).

Checklist

@provokateurin provokateurin added this to the Nextcloud 28 milestone Jul 3, 2023
@provokateurin provokateurin force-pushed the refactor/csrf-ocs-check branch 2 times, most recently from 502465f to 75cb133 Compare July 3, 2023 17:27
@provokateurin provokateurin marked this pull request as draft July 3, 2023 17:38
@provokateurin provokateurin force-pushed the refactor/csrf-ocs-check branch 4 times, most recently from f3f7472 to 4c23b19 Compare July 3, 2023 18:22
@provokateurin
Copy link
Member Author

This PR was hell, the previous logic was really not readable and understandable and comment was misleading...

@provokateurin provokateurin marked this pull request as ready for review July 3, 2023 18:39
blizzz
blizzz reviewed Jul 3, 2023
View reviewed changes
Copy link
Member

@blizzz blizzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, you would increase readability by breaking long lines down into many =) (but with leading operators).

christianlupus
christianlupus reviewed Jul 4, 2023
View reviewed changes
Copy link
Contributor

@christianlupus christianlupus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes I suggested are only cosmetic. As I used GitHub, I hope the indentations are correct and will satisfy any active cide style formatters.

One suggestion that might improve readability:
We could insert very small private methods that are just evaluating the if conditions. That would make it more readable, I guess. So, you would (for example) add a method

private function isInvalidCSRFRequired($reflectionMethod) {
	if ($this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class) {
		return false;
	}

	return ! $this->request->passesCSRFCheck();
}

This is for sure more verbose but I guess more readable, especially as the main beforeController method will offload significant parts of the logic. Adding comments to various parts of the condition methods will allow more human understanding as well.
What do you think about this?

Apart from that I did not find any flaws with the logic. The behavior should be 100% the same.

In general, I think this increases the readability and that should be done in any case. (Maybe even more)

lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php Outdated Show resolved Hide resolved
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php Outdated Show resolved Hide resolved
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php Outdated Show resolved Hide resolved
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php Outdated Show resolved Hide resolved
@provokateurin
Copy link
Member Author

@christianlupus I agree with you, it's a lot more readable when the logic is in a separate method. Then it's also easy to use early returns instead of all this mess.

christianlupus
christianlupus approved these changes Jul 13, 2023
View reviewed changes
Copy link
Contributor

@christianlupus christianlupus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems cleaner and I see no change in the implemented logic here.

@provokateurin provokateurin force-pushed the refactor/csrf-ocs-check branch 2 times, most recently from 5b391e1 to bae8e8d Compare August 11, 2023 09:23
@provokateurin
Rewrite OCS CSRF check to be readable
12f8543 
Signed-off-by: jld3103 <jld3103yt@gmail.com>
@provokateurin
Copy link
Member Author

How long do I have to rebase until this shit finally works 😅

@kesselb kesselb added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Aug 16, 2023
@provokateurin provokateurin merged commit f85e751 into master Aug 16, 2023
37 checks passed
@provokateurin provokateurin deleted the refactor/csrf-ocs-check branch August 16, 2023 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christianlupus christianlupus christianlupus approved these changes

@julien-nc julien-nc julien-nc approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

@come-nc come-nc Awaiting requested review from come-nc

@blizzz blizzz Awaiting requested review from blizzz

Assignees
No one assigned
Labels
4. to release Ready to be released and/or waiting for tests to finish technical debt
Projects
None yet
Milestone
Nextcloud 28
Development

Successfully merging this pull request may close these issues.
6 participants
@provokateurin @nickvergessen @blizzz @christianlupus @julien-nc @kesselb