From cd1a47c1c184e7a8dc918af851ca2b3deefd8721 Mon Sep 17 00:00:00 2001 From: Panagiotis Papadopoulos Date: Mon, 30 Dec 2024 15:31:29 +0100 Subject: [PATCH] refactor: replace csurf with csrf-csrf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I've kept the identical same settings as before – however they are not *ideal* from what I read. More secure settings will need to be tested a bit more thoroughly first and will be a separate PR. --- src/routes/routes.ts | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/routes/routes.ts b/src/routes/routes.ts index ac26999f6..5bf8d92c4 100644 --- a/src/routes/routes.ts +++ b/src/routes/routes.ts @@ -9,7 +9,7 @@ import auth from "../services/auth.js"; import cls from "../services/cls.js"; import sql from "../services/sql.js"; import entityChangesService from "../services/entity_changes.js"; -import csurf from "csurf"; +import { doubleCsrf } from "csrf-csrf"; import { createPartialContentHandler } from "@triliumnext/express-partial-content"; import rateLimit from "express-rate-limit"; import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js"; @@ -71,10 +71,15 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js"; import etapiSpecRoute from "../etapi/spec.js"; import etapiBackupRoute from "../etapi/backup.js"; -const csrfMiddleware = csurf({ - cookie: { - path: "" // empty, so cookie is valid only for the current path - } +const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({ + getSecret: (req) => req.secret, + cookieOptions: { + path: "", // empty, so cookie is valid only for the current path + secure: false, + sameSite: false, + httpOnly: false, + }, + cookieName: "_csrf", }); const MAX_ALLOWED_FILE_SIZE_MB = 250;