Add CSRF check into websockets

This adds CSRF check into websockets to avoid
attacks on websockets.

Tested: Could no longer use crosssite scripting to
open websocket. KVM and SOL still work once web-ui
changes are updated

Change-Id: I325079ae3d4db2701671564dff733e034d2670d6
Signed-off-by: James Feist <james.feist@linux.intel.com>
diff --git a/http/websocket.h b/http/websocket.h
index c467d25..ad090e0 100644
--- a/http/websocket.h
+++ b/http/websocket.h
@@ -72,7 +72,7 @@
         openHandler(std::move(open_handler)),
         messageHandler(std::move(message_handler)),
         closeHandler(std::move(close_handler)),
-        errorHandler(std::move(error_handler))
+        errorHandler(std::move(error_handler)), session(reqIn.session)
     {
         BMCWEB_LOG_DEBUG << "Creating new connection " << this;
     }
@@ -94,8 +94,20 @@
         // Perform the websocket upgrade
         ws.async_accept_ex(
             req,
-            [protocol{std::string(protocol)}](
+            [session{session}, protocol{std::string(protocol)}](
                 boost::beast::websocket::response_type& m) {
+
+#ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION
+                // use protocol for csrf checking
+                if (session->cookieAuth &&
+                    !crow::utility::constantTimeStringCompare(
+                        protocol, session->csrfToken))
+                {
+                    BMCWEB_LOG_ERROR << "Websocket CSRF error";
+                    m.result(boost::beast::http::status::unauthorized);
+                    return;
+                }
+#endif
                 if (!protocol.empty())
                 {
                     m.insert(bf::sec_websocket_protocol, protocol);
@@ -262,6 +274,7 @@
     std::function<void(Connection&, const std::string&, bool)> messageHandler;
     std::function<void(Connection&, const std::string&)> closeHandler;
     std::function<void(Connection&)> errorHandler;
+    std::shared_ptr<crow::persistent_data::UserSession> session;
 };
 } // namespace websocket
 } // namespace crow
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 4144705..8ff903a 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -39,6 +39,7 @@
     std::string csrfToken;
     std::chrono::time_point<std::chrono::steady_clock> lastUpdated;
     PersistenceType persistence;
+    bool cookieAuth = false;
 
     /**
      * @brief Fills object with data from UserSession's JSON representation
diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index efa691c..aaa1325 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp
@@ -236,6 +236,7 @@
             }
         }
 #endif
+        session->cookieAuth = true;
         return session;
     }