Spring Security Add more doc for XorCsrfTokenRequestAttributeHandler

Since there is no js version of XorCsrfTokenRequestAttributeHandler for debug or implementation, I think you can provide a formal reference for that, for example:

const createXoredCsrfToken = (token) => {
  const tokenBytes = [];
  for (let i = 0; i < token.length; i++) {
    tokenBytes.push(token.charCodeAt(i));
  }

  const randomBytes = new Uint8Array(tokenBytes.length);
  for (let i = 0; i < randomBytes.length; i++) {
    randomBytes[i] = Math.floor(Math.random() * 256);
  }

  const xoredBytes = xorCsrf(randomBytes, tokenBytes);
  const combinedBytes = new Uint8Array(tokenBytes.length + randomBytes.length);
  combinedBytes.set(randomBytes);
  combinedBytes.set(xoredBytes, randomBytes.length);

  const base64Str = Buffer.from(combinedBytes).toString('base64')
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=+$/, '');

  return base64Str;
};

const xorCsrf = (randomBytes, csrfBytes) => {
  if (csrfBytes.length < randomBytes.length) {
    return null;
  }
  const len = Math.min(randomBytes.length, csrfBytes.length);
  const xoredCsrf = new Uint8Array(len);
  xoredCsrf.set(csrfBytes.slice(0, len));
  for (let i = 0; i < len; i++) {
    xoredCsrf[i] ^= randomBytes[i];
  }
  return xoredCsrf;
};

And It can be used in Postman:

const createXoredCsrfToken = (token) => {
  const tokenBytes = [];
  for (let i = 0; i < token.length; i++) {
    tokenBytes.push(token.charCodeAt(i));
  }

  const randomBytes = new Uint8Array(tokenBytes.length);
  for (let i = 0; i < randomBytes.length; i++) {
    randomBytes[i] = Math.floor(Math.random() * 256);
  }

  const xoredBytes = xorCsrf(randomBytes, tokenBytes);
  const combinedBytes = new Uint8Array(tokenBytes.length + randomBytes.length);
  combinedBytes.set(randomBytes);
  combinedBytes.set(xoredBytes, randomBytes.length);

  const base64Str = Buffer.from(combinedBytes).toString('base64')
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=+$/, '');

  return base64Str;
};

const xorCsrf = (randomBytes, csrfBytes) => {
  if (csrfBytes.length < randomBytes.length) {
    return null;
  }
  const len = Math.min(randomBytes.length, csrfBytes.length);
  const xoredCsrf = new Uint8Array(len);
  xoredCsrf.set(csrfBytes.slice(0, len));
  for (let i = 0; i < len; i++) {
    xoredCsrf[i] ^= randomBytes[i];
  }
  return xoredCsrf;
};

//Replace XSFR-TOKEN with your cookie name
var xsrfCookie = postman.getResponseCookie("XSRF-TOKEN");
postman.setEnvironmentVariable("xsrf-token", createXoredCsrfToken(xsrfCookie.value));

Comment From: sjohnr

Thanks for reaching out, @HashZhang!

Spring Security is not a client-side framework and therefore doesn't generally maintain or recommend specific JavaScript code for integrating with the framework. Occasionally, our reference docs will contain the bare minimum JS code to illustrate an example. I'm not sure that we would want to have a recommendation to use the code you have provided here anywhere in our docs. However, thank you for providing it!

I think we can leave this issue here for others to benefit from it if it is helpful to them. Having said that, I'm going to close this issue. If you feel like we need to discuss this more, we can easily reopen this issue if necessary.