## Description
The login page, and a few other pages are exempted from CSRF today and
aren't doing any check at all. This makes our login page vulnerable to
CSRF. But it's not really exploitable in its current form, since there's
other points in the login flow that patch this hole up.
Nevertheless, CSRF being possible on the login form doesn't sound good
in any tone and context. This PR fixes this by not exempting _anything_
from CSRF, and doing a stateless CSRF check where necessary.
PR summary:
1. Switches from our home-built CSRF filter implementation to Spring's
native implementation.
2. Login form and a few others were previously exempted from CSRF
checks, and now that exemption is gone. This is why we need the
`X-Requested-By: Appsmith` for the login/signup form submission calls
from Cypress.
3. Removes the check on `Content-Type: application/json` header.
Previously, if a request had this header, it was considered exempt from
CSRF check. This has been removed as it appears it's not a safe
assumption in today's JSON-dominated web.
⚠️ verify SCIM flow before merging.
## Automation
/test all
### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results -->
> [!TIP]
> 🟢🟢🟢 All cypress tests have passed! 🎉🎉🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/13697073430>
> Commit: 0873799e2346e58dac3d59b1a3890b86ab17d5b4
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=13697073430&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Thu, 06 Mar 2025 12:13:19 UTC
<!-- end of auto-generated comment: Cypress test results -->
## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
- **New Features**
- Introduced a `CsrfTokenInput` component to enhance security during
user authentication and signup processes by including a CSRF token.
- **Improvements**
- Enhanced API request headers for login and signup commands to improve
security.
- Added cookie validation for successful login to ensure session
integrity.
- Improved error handling for database operations.
- **Bug Fixes**
- Removed outdated CSRF filter to streamline CSRF protection handling in
the application.
- **Tests**
- Added comprehensive unit tests for CSRF protection to ensure correct
behavior under various scenarios.
- Introduced a new test suite for testing CSRF logout and login
functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
32ed0ac9ad