refactor: replace csurf with csrf-csrf

I've kept the identical same settings as before – however they are not *ideal* from what I read. More secure settings will need to be tested a bit more thoroughly first and will be a separate PR.
TriliumNext · Dec 30, 2024 · cd1a47c · cd1a47c
1 parent d570bcd
commit cd1a47c
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/src/routes/routes.ts b/src/routes/routes.ts
@@ -9,7 +9,7 @@ import auth from "../services/auth.js";
 import cls from "../services/cls.js";
 import sql from "../services/sql.js";
 import entityChangesService from "../services/entity_changes.js";
-import csurf from "csurf";
+import { doubleCsrf } from "csrf-csrf";
 import { createPartialContentHandler } from "@triliumnext/express-partial-content";
 import rateLimit from "express-rate-limit";
 import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
@@ -71,10 +71,15 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
 import etapiSpecRoute from "../etapi/spec.js";
 import etapiBackupRoute from "../etapi/backup.js";
 
-const csrfMiddleware = csurf({
-    cookie: {
-        path: ""       // empty, so cookie is valid only for the current path
-    }
+const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
+  getSecret: (req) => req.secret,
+  cookieOptions: {
+    path: "",       // empty, so cookie is valid only for the current path
+    secure: false,
+    sameSite: false,
+    httpOnly: false,
+  },
+  cookieName: "_csrf",
 });
 
 const MAX_ALLOWED_FILE_SIZE_MB = 250;