Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: replace csurf with csrf-csrf #864

Draft
wants to merge 4 commits into
base: develop
Choose a base branch
from
+39 −55
Draft

refactor: replace csurf with csrf-csrf #864

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e73c0c1
deps: replace csurf with csrf-csrf
pano9000 Dec 28, 2024
126ace3
refactor: replace csurf with csrf-csrf
pano9000 Dec 30, 2024
80fac8c
fix(csrfMiddleware): use sessionSecret instead
pano9000 Jan 5, 2025
b85ba68
chore: fix TS warning by type narrowing
pano9000 Jan 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 26 additions & 47 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 1 addition & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@
"codemirror": "5.65.18",
"compression": "1.7.5",
"cookie-parser": "1.4.7",
"csurf": "1.2.2",
"csrf-csrf": "3.1.0",
"dayjs": "1.11.13",
"dayjs-plugin-utc": "0.1.2",
"debounce": "2.2.0",
Expand Down Expand Up @@ -160,7 +160,6 @@
"@types/cls-hooked": "4.3.9",
"@types/compression": "1.7.5",
"@types/cookie-parser": "1.4.8",
"@types/csurf": "1.11.5",
"@types/debounce": "1.2.4",
"@types/ejs": "3.1.5",
"@types/electron-squirrel-startup": "1.0.2",
Expand Down
2 changes: 1 addition & 1 deletion src/routes/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ function index(req: Request, res: Response) {

const view = !utils.isElectron() && req.cookies["trilium-device"] === "mobile" ? "mobile" : "desktop";

const csrfToken = req.csrfToken();
const csrfToken = (typeof req.csrfToken === "function") ? req.csrfToken() : undefined;
log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);

// We force the page to not be cached since on mobile the CSRF token can be
Expand Down
16 changes: 11 additions & 5 deletions src/routes/routes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,13 @@ import auth from "../services/auth.js";
import cls from "../services/cls.js";
import sql from "../services/sql.js";
import entityChangesService from "../services/entity_changes.js";
import csurf from "csurf";
import { doubleCsrf } from "csrf-csrf";
import { createPartialContentHandler } from "@triliumnext/express-partial-content";
import rateLimit from "express-rate-limit";
import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
import NotFoundError from "../errors/not_found_error.js";
import ValidationError from "../errors/validation_error.js";
import sessionSecret from "../services/session_secret.js";

// page routes
import setupRoute from "./setup.js";
Expand Down Expand Up @@ -71,10 +72,15 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
import etapiSpecRoute from "../etapi/spec.js";
import etapiBackupRoute from "../etapi/backup.js";

const csrfMiddleware = csurf({
cookie: {
path: "" // empty, so cookie is valid only for the current path
}
const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
getSecret: () => sessionSecret,
cookieOptions: {
path: "", // empty, so cookie is valid only for the current path
secure: false,
sameSite: false,
httpOnly: false,
},
cookieName: "_csrf",
});

const MAX_ALLOWED_FILE_SIZE_MB = 250;
Expand Down