We are struggling with trying to implement CSRF protection in a SPA using AngularJS and Restful services.
Scenario: 1. user logs in a JWT is created that contains a CSRF Token as part of the payload.
JWT is put in a HTTP Only Secure cookie and sent back on the response header
Additionally the same CSRF Token is sent back in the response.
The javascript (angular) code puts the CSRF token in $rootScope
User/program whatever... makes a request of a protected api. Send the CSRF token from $rootScope in the request.
Cookie travels back along with the request.
Server looks at the cookie unpacks the csrf token in the JWT compares CSRF token with the token that was in the request body.
- Generates a new CSRF token... puts it in the jwt, puts jwt back in a cookie returns cookie along with the CSRF token in the response.
- Client receives response, stashes the CSRF token in the $rootScope.
- Repeat
Question: If I have many requests in a short period of time (sub second) from a client (, using an interceptor, maybe) which gets the CSRF token from the $rootScope. Could the csrf token in my request EVER be out of sync with the CSRF token that is in the Header/Cookie/JWT?
P.S. I understand the concept of promises etc.
The bottom line is I want every request to the API to have a CSRF token in the body that will match the CSRF token in the Header/Cookie/JWT.
