rixty/SillyTavern
1
0
Fork 0
mirror of https://github.com/SillyTavern/SillyTavern.git synced 2025-06-05 21:59:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

#883 Add option to disable CSRF tokens

Browse Source
This commit is contained in:
Cohee
2023-08-06 16:42:15 +03:00
parent 04a2d82a8d
commit 151f4d322c
3 changed files with 43 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@ -53,6 +53,7 @@
"version": "1.9.4", "version": "1.9.4",
"scripts": { "scripts": {
"start": "node server.js", "start": "node server.js",
"start-multi": "node server.js --disableCsrf",
"pkg": "pkg --compress Gzip --no-bytecode --public ." "pkg": "pkg --compress Gzip --no-bytecode --public ."
}, },
"bin": { "bin": {

6
public/script.js
View File

@ -524,7 +524,11 @@ const system_messages = {
$(document).ajaxError(function myErrorHandler(_, xhr) { $(document).ajaxError(function myErrorHandler(_, xhr) {
if (xhr.status == 403) { if (xhr.status == 403) {
toastr.warning("doubleCsrf errors in console are NORMAL in this case. Just reload the page or close this tab.", "Looks like you've opened SillyTavern in another browser tab", { timeOut: 0, extendedTimeOut: 0, preventDuplicates: true }); toastr.warning(
"doubleCsrf errors in console are NORMAL in this case. If you want to run ST in multiple tabs, start the server with --disableCsrf option.",
"Looks like you've opened SillyTavern in another browser tab",
{ timeOut: 0, extendedTimeOut: 0, preventDuplicates: true },
);
} }
}); });

15
server.js
View File

@ -34,7 +34,11 @@ if (net.setDefaultAutoSelectFamily) {
} }
const cliArguments = yargs(hideBin(process.argv)) const cliArguments = yargs(hideBin(process.argv))
.option('ssl', { .option('disableCsrf', {
type: 'boolean',
default: false,
describe: 'Disables CSRF protection'
}).option('ssl', {
type: 'boolean', type: 'boolean',
default: false, default: false,
describe: 'Enables SSL' describe: 'Enables SSL'
@ -308,6 +312,7 @@ const directories = {
}; };
// CSRF Protection // // CSRF Protection //
if (cliArguments.disableCsrf === false) {
const doubleCsrf = require('csrf-csrf').doubleCsrf; const doubleCsrf = require('csrf-csrf').doubleCsrf;
const CSRF_SECRET = crypto.randomBytes(8).toString('hex'); const CSRF_SECRET = crypto.randomBytes(8).toString('hex');
@ -333,6 +338,14 @@ app.get("/csrf-token", (req, res) => {
app.use(cookieParser(COOKIES_SECRET)); app.use(cookieParser(COOKIES_SECRET));
app.use(doubleCsrfProtection); app.use(doubleCsrfProtection);
} else {
console.warn("\nCSRF protection is disabled. This will make your server vulnerable to CSRF attacks.\n");
app.get("/csrf-token", (req, res) => {
res.json({
"token": 'disabled'
});
});
}
// CORS Settings // // CORS Settings //
const cors = require('cors'); const cors = require('cors');