Enable Customized CSRF Protection in Angular UI

[tdonohue]

References

• Replaces Re-enable automated CSRF Protection: Add custom XSRF interceptor which works with cross origin requests #833 (Based heavily on this PR)
• Replaces Tighten security of our Auth Token (JWT) via CSRF prevention techniques #907
• Requires Enable Customized CSRF Protection in Spring Security for Server Webapp DSpace#3103

Description

This PR creates a customized XsrfInterceptor which responds to the Backend/Server Webapp based on the custom CSRF Protection added in DSpace/DSpace#3103

Namely, the behavior is as follows:

1. Backend generates XSRF token & stores in a server-side (only) cookie named DSPACE-XSRF-COOKIE. This cookie is not read/used by Angular, but is returned (by user's browser) on every subsequent request to backend.
2. Backend also sends XSRF token in a header named DSPACE-XSRF-TOKEN to Angular.
3. A custom XsrfInterceptor looks for DSPACE-XSRF-TOKEN header in a response. If found, its value is saved to a client-side (only) cookie named XSRF-TOKEN.
4. Whenever Angular is making a mutating request (POST, PUT, DELETE, etc), the same XsrfInterceptor checks for that client-side XSRF-TOKEN cookie. If found, its value is sent to the backend in the X-XSRF-TOKEN header.
5. On backend, the X-XSRF-TOKEN header is received & compared to the current value of the server-side cookie named DSPACE-XSRF-COOKIE (created in step 1). If tokens match, the request is accepted. If tokens don't match a 403 is returned.

Instructions for Reviewers

Must be tested with DSpace/DSpace#3103

• Review code
• Test Authentication via Password
• Test Authentication via Shibboleth
• Perform some actions while logged in. Ensure no 403 errors occur (this implies an XSRF mismatch/failure).

Checklist

• My PR is small in size (e.g. less than 1,000 lines of code, not including comments & specs/tests), or I have provided reasons as to why that's not possible.
• My PR passes TSLint validation using yarn run lint
• My PR doesn't introduce circular dependencies
• My PR includes TypeDoc comments for all new (or modified) public methods and classes. It also includes TypeDoc for large or complex private methods.
• My PR passes all specs/tests and includes new/updated specs or tests based on the Code Testing Guide.
• If my PR includes new, third-party dependencies (in package.json), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.

[artlowel]

Thanks @tdonohue!

It works, and the code looks good

[tdonohue]

Just resolved the merge conflicts after merging #975 . I also retested just to verify everything was still working & it's looking good. Will merge on Monday (assuming CI passes & no other feedback to resolve)

[tdonohue]

Merging as the REST PR is at +2, and this is at +1 and flagged as 1 Approval.