Let's say we have a simple contact form publicly available in our website. The FE application makes a request that goes to an BE service and is being processed somehow there. It doesn't require any authentication, so everybody can just submit a request and that's it.
When I look at OWASP doc here it looks like the above example doesn't fall into that. There is no authenticated user context in the contact request, so I don't see any scenario of an attack that CSRF token would prevent.
Could anybody either confirm this approach or present a scenario of such attack where CSRF would make sense.
Maybe worth adding that we don't keep any user session. We have a SPA (in Angular) that is served by Nginx and we use only stateless bearer token for authentication (based on SSO) with BE services. So above seems to be another impediment of using CSRF token, because we don't have any session object stored anywhere to verify the CSRF token in the BE. Using cookie to transport the token to the browser also seems not be be valid here, as Nginx is serving the app, so we can't do any token validation that comes with the cookie.
you are right CSRF Deals only when a user is Authenticated and sending a Resource changing request.
Since There is No Authentication Involved, The Attacker Couldn't abuse a user Authority to do something .
As every one can send The Form
The Only Scenario i can think of you might need a CSRF Protection for the Public Form is When you add some semi-authentication like for detecting DDOS. for example:
you using a mechanism to validate each ip address can send only one request a day, without asking them for captcha.
since you are semi-authenticating them (one user is not equal to others) .
Attacker might using CSRF Attack for Passing Your DDos Protection
he/she may send a malware to a network which each node can sends a Form and take down the Application Level DDOS prevention based on IP (semi-auth)