## Description
The login page, and a few other pages are exempted from CSRF today and
aren't doing any check at all. This makes our login page vulnerable to
CSRF. But it's not really exploitable in its current form, since there's
other points in the login flow that patch this hole up.
Nevertheless, CSRF being possible on the login form doesn't sound good
in any tone and context. This PR fixes this by not exempting _anything_
from CSRF, and doing a stateless CSRF check where necessary.
PR summary:
1. Switches from our home-built CSRF filter implementation to Spring's
native implementation.
2. Login form and a few others were previously exempted from CSRF
checks, and now that exemption is gone. This is why we need the
`X-Requested-By: Appsmith` for the login/signup form submission calls
from Cypress.
3. Removes the check on `Content-Type: application/json` header.
Previously, if a request had this header, it was considered exempt from
CSRF check. This has been removed as it appears it's not a safe
assumption in today's JSON-dominated web.
⚠️ verify SCIM flow before merging.
## Automation
/test all
### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results -->
> [!TIP]
> 🟢🟢🟢 All cypress tests have passed! 🎉🎉🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/13697073430>
> Commit: 0873799e2346e58dac3d59b1a3890b86ab17d5b4
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=13697073430&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Thu, 06 Mar 2025 12:13:19 UTC
<!-- end of auto-generated comment: Cypress test results -->
## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
- **New Features**
- Introduced a `CsrfTokenInput` component to enhance security during
user authentication and signup processes by including a CSRF token.
- **Improvements**
- Enhanced API request headers for login and signup commands to improve
security.
- Added cookie validation for successful login to ensure session
integrity.
- Improved error handling for database operations.
- **Bug Fixes**
- Removed outdated CSRF filter to streamline CSRF protection handling in
the application.
- **Tests**
- Added comprehensive unit tests for CSRF protection to ensure correct
behavior under various scenarios.
- Introduced a new test suite for testing CSRF logout and login
functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Description
This PR started with this goal:
- Deleted the unreadable `derived.test.js` (4668 lines) file and split
each suite to its file.
- Moved all `derived.js` related specs in widget folder to __tests__
folder
Later we found that `testRegex` in `jest.config` will treat anything
inside `__tests__` as runnable, so we modify this rule and are moving to
a consistent naming for our unit tests(any file ending with `.test.` or
`.spec.`
This refactor aims to improve maintainability and ensure that the table
widget's derived properties are thoroughly tested.
Fixes #`Issue Number`
_or_
Fixes `Issue URL`
> [!WARNING]
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._
## Automation
/ok-to-test tags=""
### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results -->
> [!WARNING]
> Tests have not run on the HEAD
b3168bb1a6d3070a910972d1d9a78d61a3aaee91 yet
> <hr>Tue, 17 Dec 2024 10:20:54 UTC
<!-- end of auto-generated comment: Cypress test results -->
## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Expanded properties for table widget configuration.
- Introduced sample data constants for column schemas and processed
table data.
- **Bug Fixes**
- Improved validation tests for editable cells and row selection
functions.
- **Tests**
- Added comprehensive test suites for various table widget
functionalities, including filtering, sorting, and row selection.
- Introduced tests for handling HTML content within table columns.
- Added tests for new functions related to row updates and indices.
- Enhanced test coverage for existing utility functions and table
properties.
- **Chores**
- Updated import paths to reflect a new directory structure across
various test files.
- Modified Jest configuration for improved readability and regex
adjustments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#36481
/ok-to-test tags="@tag.All"
<!-- This is an auto-generated comment: Cypress test results -->
> [!TIP]
> 🟢🟢🟢 All cypress tests have passed! 🎉🎉🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/11028542060>
> Commit: ed537d3958a3eba4502cbc32daf60c4cd814002d
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=11028542060&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Wed, 25 Sep 2024 08:56:31 UTC
<!-- end of auto-generated comment: Cypress test results -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Summary by CodeRabbit
- **New Features**
- Enhanced API interaction with new default configurations for requests.
- Improved error handling with a centralized interceptor for managing
various API response errors.
- Introduced access control for specific API endpoints through blocked
and enabled route management.
- Streamlined environment-specific configurations for better
maintainability.
- Added functionalities for managing application themes, including
fetching, updating, and deleting themes.
- Introduced new API functions for retrieving consolidated page load
data for viewing and editing.
- Centralized access point for API services related to theming and
consolidated page load data.
- New modular structure for API request and response interceptors to
improve organization and maintainability.
- **Tests**
- Added unit tests for both API response and request interceptors to
ensure correct functionality and error handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Pawan Kumar <pawankumar@Pawans-MacBook-Pro-2.local>
