From eeebec01b526f32f4eea6f3d4d7d24a4f194d11c Mon Sep 17 00:00:00 2001
From: Swordsteel <swordsteel@gmail.com>
Date: Thu, 31 Jul 2025 22:41:54 +0200
Subject: [PATCH] add CsrfAccessDeniedHandler make 400

---
 .../hlaeja/configuration/SecurityConfiguration.kt |  2 ++
 .../security/handler/CsrfAccessDeniedHandler.kt   | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 src/main/kotlin/ltd/hlaeja/security/handler/CsrfAccessDeniedHandler.kt

diff --git a/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt b/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt
index 8ebf91d..977bf01 100644
--- a/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt
+++ b/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt
@@ -1,5 +1,6 @@
 package ltd.hlaeja.configuration
 
+import ltd.hlaeja.security.handler.CsrfAccessDeniedHandler
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpStatus.FOUND
@@ -15,6 +16,7 @@ class SecurityConfiguration {
 
     @Bean
     fun securityWebFilterChain(serverHttpSecurity: ServerHttpSecurity): SecurityWebFilterChain = serverHttpSecurity
+        .csrf { it.accessDeniedHandler(CsrfAccessDeniedHandler()) }
         .authorizeExchange(::authorizeExchange)
         .formLogin(::formLogin)
         .logout(::logout)
diff --git a/src/main/kotlin/ltd/hlaeja/security/handler/CsrfAccessDeniedHandler.kt b/src/main/kotlin/ltd/hlaeja/security/handler/CsrfAccessDeniedHandler.kt
new file mode 100644
index 0000000..ce6fd3c
--- /dev/null
+++ b/src/main/kotlin/ltd/hlaeja/security/handler/CsrfAccessDeniedHandler.kt
@@ -0,0 +1,15 @@
+package ltd.hlaeja.security.handler
+
+import org.springframework.http.HttpStatus.BAD_REQUEST
+import org.springframework.security.access.AccessDeniedException
+import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
+import org.springframework.web.server.ResponseStatusException
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+
+class CsrfAccessDeniedHandler : ServerAccessDeniedHandler {
+    override fun handle(
+        exchange: ServerWebExchange,
+        denied: AccessDeniedException,
+    ): Mono<Void> = Mono.error(ResponseStatusException(BAD_REQUEST, "Access denied ${exchange.request.path}", denied))
+}