OWASP · arkid15r · Apr 5, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
@@ -78,7 +78,7 @@ jobs:
       - name: Check for uncommitted changes
         run: |
           git diff --exit-code || (echo 'Unstaged changes detected. \
-          Run `make check-all` and use `git add` to address it.' && exit 1)
+          Run `make check` and use `git add` to address it.' && exit 1)
 
   spellcheck:
     name: Run spell check
@@ -241,6 +241,7 @@ jobs:
         run: |
           touch frontend/.env
           echo "VITE_API_URL=${{ secrets.VITE_API_URL }}" >> frontend/.env
+          echo "VITE_CSRF_URL=${{ secrets.VITE_CSRF_URL }}" >> frontend/.env
           echo "VITE_ENVIRONMENT=${{ secrets.VITE_ENVIRONMENT }}" >> frontend/.env
           echo "VITE_GRAPHQL_URL=${{ secrets.VITE_GRAPHQL_URL }}" >> frontend/.env
           echo "VITE_IDX_URL=${{ secrets.VITE_IDX_URL }}" >> frontend/.env
@@ -404,6 +405,7 @@ jobs:
         run: |
           touch frontend/.env
           echo "VITE_API_URL=${{ secrets.VITE_API_URL }}" >> frontend/.env
+          echo "VITE_CSRF_URL=${{ secrets.VITE_CSRF_URL }}" >> frontend/.env
           echo "VITE_ENVIRONMENT=${{ secrets.VITE_ENVIRONMENT }}" >> frontend/.env
           echo "VITE_GRAPHQL_URL=${{ secrets.VITE_GRAPHQL_URL }}" >> frontend/.env
           echo "VITE_IDX_URL=${{ secrets.VITE_IDX_URL }}" >> frontend/.env

@@ -49,7 +49,7 @@ jobs:
       - name: Check for uncommitted changes
         run: |
           git diff --exit-code || (echo 'Unstaged changes detected. \
-          Run `make check-all` and use `git add` to address it.' && exit 1)
+          Run `make check` and use `git add` to address it.' && exit 1)
 
   code-ql:
     name: CodeQL

@@ -234,7 +234,7 @@ Please follow these contribution guidelines for OWASP Schema-related changes:
 Nest enforces code quality standards to ensure consistency and maintainability. You can run automated checks locally before pushing your changes:
 
 ```bash
-make check-all
+make check
 ```
 
 This command runs linters and other static analysis tools for both the frontend and backend.
@@ -245,7 +245,7 @@ This command runs linters and other static analysis tools for both the frontend
 Our CI/CD pipelines automatically run tests against every Pull Request. You can run tests locally before submitting a PR:
 
 ```bash
-make test-all
+make test
 ```
 
 This command runs tests and checks that coverage threshold requirements are satisfied for both backend and frontend.
@@ -286,7 +286,7 @@ git checkout -b feature/my-feature-name
 - Run the code quality checks and tests:
 
   ```bash
-  make check-test-all
+  make check-test
   ```
 
 - Write meaningful commit messages:

@@ -7,17 +7,22 @@ include schema/Makefile
 build:
 	@docker compose build
 
-check-all: \
+clean: \
+	clean-backend \
+	clean-frontend \
+	clean-schema
+
+check: \
 	check-backend \
 	check-frontend \
 	check-spelling
 
 check-backend: \
 	pre-commit
 
-check-test-all: \
-	check-all \
-	test-all
+check-test: \
+	check \
+	test
 
 check-test-backend: \
 	pre-commit \
@@ -33,7 +38,7 @@ pre-commit:
 run:
 	@COMPOSE_BAKE=true docker compose -f docker/docker-compose-local.yaml up --build --remove-orphans
 
-test-all: \
+test: \
 	test-nest-app \
 	test-schema
 

@@ -1,3 +1,8 @@
+clean-backend:
+	@rm -rf backend/.cache
+	@rm -rf backend/.local
+	@rm -rf backend/.venv
+
 exec-backend-command:
 	@docker exec -i nest-backend $(CMD)
 

@@ -0,0 +1,13 @@
+"""CSRF token API."""
+
+from django.http import JsonResponse
+from django.middleware.csrf import get_token
+from django.views.decorators.csrf import ensure_csrf_cookie
+from django.views.decorators.http import require_GET
+
+
+@require_GET
+@ensure_csrf_cookie
+def get_csrf_token(request):
+    """Return a response with the CSRF token."""
+    return JsonResponse({"csrftoken": get_token(request)})
@@ -8,11 +8,12 @@
 from django.conf.urls.static import static
 from django.contrib import admin
 from django.urls import include, path
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.csrf import csrf_protect
 from graphene_django.views import GraphQLView
 from rest_framework import routers
 
 from apps.core.api.algolia import algolia_search
+from apps.core.api.csrf import get_csrf_token
 from apps.github.api.urls import router as github_router
 from apps.owasp.api.urls import router as owasp_router
 from apps.slack.apps import SlackConfig
@@ -22,8 +23,9 @@
 router.registry.extend(owasp_router.registry)
 
 urlpatterns = [
-    path("idx/", csrf_exempt(algolia_search)),
-    path("graphql/", csrf_exempt(GraphQLView.as_view(graphiql=settings.DEBUG))),
+    path("csrf/", get_csrf_token),
+    path("idx/", csrf_protect(algolia_search)),
+    path("graphql/", csrf_protect(GraphQLView.as_view(graphiql=settings.DEBUG))),
     path("api/v1/", include(router.urls)),
     path("a/", admin.site.urls),
 ]

@@ -1,4 +1,5 @@
 VITE_API_URL=http://localhost:8000/api/v1/
+VITE_CSRF_URL=http://localhost:8000/csrf/
 VITE_ENVIRONMENT=local
 VITE_GRAPHQL_URL=http://localhost:8000/graphql/
 VITE_GTM_AUTH=your-google-tag-manager-auth

@@ -3,6 +3,10 @@ check-frontend: \
 	format-frontend-code \
 	lint-frontend-code
 
+clean-frontend:
+	@rm -rf frontend/.pnpm-store
+	@rm -rf frontend/node_modules
+
 exec-frontend-command:
 	@docker exec -t nest-frontend $(CMD)
 
@@ -19,8 +23,8 @@ shell-frontend:
 	@CMD="/bin/sh" $(MAKE) exec-frontend-command-it
 
 test-frontend: \
-	test-frontend-e2e \
-	test-frontend-unit
+	test-frontend-unit \
+	test-frontend-e2e
 
 test-frontend-e2e:
 	@DOCKER_BUILDKIT=1 docker build \

@@ -16,6 +16,15 @@ test.describe('About Page', () => {
       }
     })
 
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
+
     await page.goto('/about')
   })
 

@@ -9,6 +9,14 @@ test.describe('Chapter Details Page', () => {
         json: { data: { chapter: mockChapterDetailsData } },
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/chapters/test-chapter')
   })
 

@@ -12,6 +12,14 @@ test.describe('Chapters Page', () => {
         }),
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/chapters')
   })
 

@@ -9,6 +9,14 @@ test.describe('Committee Details Page', () => {
         json: { data: mockCommitteeDetailsData },
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/committees/test-committee')
   })
 

@@ -12,6 +12,14 @@ test.describe('Committees Page', () => {
         }),
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/committees')
   })
 

@@ -12,6 +12,14 @@ test.describe('Contribute Page', () => {
         }),
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/projects/contribute')
   })
 

@@ -9,6 +9,14 @@ test.describe('Home Page', () => {
         json: mockHomeData,
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/')
   })
 

@@ -9,6 +9,14 @@ test.describe('Project Details Page', () => {
         json: { data: mockProjectDetailsData },
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/projects/test-project', { timeout: 60000 })
   })
 

@@ -12,6 +12,14 @@ test.describe('Projects Page', () => {
         }),
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/projects')
   })
 

@@ -9,6 +9,14 @@ test.describe('Repository Details Page', () => {
         json: { data: mockRepositoryData },
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/repositories/test-repository')
   })
 

@@ -9,6 +9,14 @@ test.describe('User Details Page', () => {
         json: { data: mockUserDetailsData },
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('community/users/test-user')
   })
   test('should have a heading and summary', async ({ page }) => {

@@ -12,6 +12,14 @@ test.describe('Users Page', () => {
         }),
       })
     })
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/community/users')
   })
 

@@ -2,6 +2,14 @@ import { test, expect } from '@playwright/test'
 
 test.describe('Footer Social Media Icons', () => {
   test.beforeEach(async ({ page }) => {
+    await page.context().addCookies([
+      {
+        name: 'csrftoken',
+        value: 'abc123',
+        domain: 'localhost',
+        path: '/',
+      },
+    ])
     await page.goto('/')
   })