mirror of
				https://github.com/SillyTavern/SillyTavern.git
				synced 2025-06-05 21:59:27 +02:00 
			
		
		
		
	#883 Add option to disable CSRF tokens
This commit is contained in:
		| @@ -53,6 +53,7 @@ | ||||
|     "version": "1.9.4", | ||||
|     "scripts": { | ||||
|         "start": "node server.js", | ||||
|         "start-multi": "node server.js --disableCsrf", | ||||
|         "pkg": "pkg --compress Gzip --no-bytecode --public ." | ||||
|     }, | ||||
|     "bin": { | ||||
|   | ||||
| @@ -524,7 +524,11 @@ const system_messages = { | ||||
|  | ||||
| $(document).ajaxError(function myErrorHandler(_, xhr) { | ||||
|     if (xhr.status == 403) { | ||||
|         toastr.warning("doubleCsrf errors in console are NORMAL in this case. Just reload the page or close this tab.", "Looks like you've opened SillyTavern in another browser tab", { timeOut: 0, extendedTimeOut: 0, preventDuplicates: true }); | ||||
|         toastr.warning( | ||||
|             "doubleCsrf errors in console are NORMAL in this case. If you want to run ST in multiple tabs, start the server with --disableCsrf option.", | ||||
|             "Looks like you've opened SillyTavern in another browser tab", | ||||
|             { timeOut: 0, extendedTimeOut: 0, preventDuplicates: true }, | ||||
|         ); | ||||
|     } | ||||
| }); | ||||
|  | ||||
|   | ||||
							
								
								
									
										37
									
								
								server.js
									
									
									
									
									
								
							
							
						
						
									
										37
									
								
								server.js
									
									
									
									
									
								
							| @@ -34,7 +34,11 @@ if (net.setDefaultAutoSelectFamily) { | ||||
| } | ||||
|  | ||||
| const cliArguments = yargs(hideBin(process.argv)) | ||||
|     .option('ssl', { | ||||
|     .option('disableCsrf', { | ||||
|         type: 'boolean', | ||||
|         default: false, | ||||
|         describe: 'Disables CSRF protection' | ||||
|     }).option('ssl', { | ||||
|         type: 'boolean', | ||||
|         default: false, | ||||
|         describe: 'Enables SSL' | ||||
| @@ -149,7 +153,7 @@ let first_run = true; | ||||
|  | ||||
| function get_mancer_headers() { | ||||
|     const api_key_mancer = readSecret(SECRET_KEYS.MANCER); | ||||
|     return api_key_mancer ? { "X-API-KEY": api_key_mancer} : {}; | ||||
|     return api_key_mancer ? { "X-API-KEY": api_key_mancer } : {}; | ||||
| } | ||||
|  | ||||
|  | ||||
| @@ -308,12 +312,13 @@ const directories = { | ||||
| }; | ||||
|  | ||||
| // CSRF Protection // | ||||
| const doubleCsrf = require('csrf-csrf').doubleCsrf; | ||||
| if (cliArguments.disableCsrf === false) { | ||||
|     const doubleCsrf = require('csrf-csrf').doubleCsrf; | ||||
|  | ||||
| const CSRF_SECRET = crypto.randomBytes(8).toString('hex'); | ||||
| const COOKIES_SECRET = crypto.randomBytes(8).toString('hex'); | ||||
|     const CSRF_SECRET = crypto.randomBytes(8).toString('hex'); | ||||
|     const COOKIES_SECRET = crypto.randomBytes(8).toString('hex'); | ||||
|  | ||||
| const { generateToken, doubleCsrfProtection } = doubleCsrf({ | ||||
|     const { generateToken, doubleCsrfProtection } = doubleCsrf({ | ||||
|         getSecret: () => CSRF_SECRET, | ||||
|         cookieName: "X-CSRF-Token", | ||||
|         cookieOptions: { | ||||
| @@ -323,16 +328,24 @@ const { generateToken, doubleCsrfProtection } = doubleCsrf({ | ||||
|         }, | ||||
|         size: 64, | ||||
|         getTokenFromRequest: (req) => req.headers["x-csrf-token"] | ||||
| }); | ||||
|     }); | ||||
|  | ||||
| app.get("/csrf-token", (req, res) => { | ||||
|     app.get("/csrf-token", (req, res) => { | ||||
|         res.json({ | ||||
|             "token": generateToken(res) | ||||
|         }); | ||||
| }); | ||||
|     }); | ||||
|  | ||||
| app.use(cookieParser(COOKIES_SECRET)); | ||||
| app.use(doubleCsrfProtection); | ||||
|     app.use(cookieParser(COOKIES_SECRET)); | ||||
|     app.use(doubleCsrfProtection); | ||||
| } else { | ||||
|     console.warn("\nCSRF protection is disabled. This will make your server vulnerable to CSRF attacks.\n"); | ||||
|     app.get("/csrf-token", (req, res) => { | ||||
|         res.json({ | ||||
|             "token": 'disabled' | ||||
|         }); | ||||
|     }); | ||||
| } | ||||
|  | ||||
| // CORS Settings // | ||||
| const cors = require('cors'); | ||||
| @@ -662,7 +675,7 @@ app.post("/generate_textgenerationwebui", jsonParser, async function (request, r | ||||
|             try { | ||||
|                 retval.response = await error.json(); | ||||
|                 retval.response = retval.response.result; | ||||
|             } catch {} | ||||
|             } catch { } | ||||
|             return response_generate.send(retval); | ||||
|         } | ||||
|     } | ||||
|   | ||||
		Reference in New Issue
	
	Block a user