I have an application which is built using Spring Boot and Angular 6. I have also generated API clients using Swagger-codegen. Everything was working fine but recently it was found that application was vulnerable to CSRF. So, I have implemented the CSRF token within cookie by using CsrfTokenRepository on server side, like this:
http.csrf().ignoringAntMatchers(CSRF_IGNORE).csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
and for Angular :
HttpClientXsrfModule.withOptions({cookieName: 'XSRF-TOKEN'}),
Now, the application is working fine, but the swagger-ui and generared API clients are not working. It throws:
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.
I have searched for this and found some issues for swagger and springfox-swagger-ui. Particularly, this was very useful https://github.com/springfox/springfox/issues/1450. But I didn't found any idea about how can I use this or is this possible or not. On most of the other places, developers are ignoring swagger-ui from CSRF.
Any help will be appreciated.
Thanks
