Replace CSRF middleware

Closes #3349
This commit is contained in:
Cohee
2025-01-25 16:56:11 +02:00
parent 0937f44f39
commit 5ff402aabf
5 changed files with 31 additions and 25 deletions

View File

@@ -18,10 +18,9 @@ import { hideBin } from 'yargs/helpers';
// express/server related library imports
import cors from 'cors';
import { doubleCsrf } from 'csrf-csrf';
import { csrfSync } from 'csrf-sync';
import express from 'express';
import compression from 'compression';
import cookieParser from 'cookie-parser';
import cookieSession from 'cookie-session';
import multer from 'multer';
import responseTime from 'response-time';
@@ -40,7 +39,6 @@ util.inspect.defaultOptions.depth = 4;
import { loadPlugins } from './src/plugin-loader.js';
import {
initUserStorage,
getCsrfSecret,
getCookieSecret,
getCookieSessionName,
getAllEnabledUsers,
@@ -347,8 +345,8 @@ if (enableCorsProxy) {
}
function getSessionCookieAge() {
// Defaults to 24 hours in seconds if not set
const configValue = getConfigValue('sessionTimeout', 24 * 60 * 60);
// Defaults to "no expiration" if not set
const configValue = getConfigValue('sessionTimeout', -1);
// Convert to milliseconds
if (configValue > 0) {
@@ -377,27 +375,34 @@ app.use(setUserDataMiddleware);
// CSRF Protection //
if (!disableCsrf) {
const COOKIES_SECRET = getCookieSecret();
const { generateToken, doubleCsrfProtection } = doubleCsrf({
getSecret: getCsrfSecret,
cookieName: 'X-CSRF-Token',
cookieOptions: {
sameSite: 'strict',
secure: false,
const csrfSyncProtection = csrfSync({
getTokenFromState: (req) => {
if (!req.session) {
console.error('(CSRF error) getTokenFromState: Session object not initialized');
return;
}
return req.session.csrfToken;
},
size: 64,
getTokenFromRequest: (req) => req.headers['x-csrf-token'],
getTokenFromRequest: (req) => {
return req.headers['x-csrf-token']?.toString();
},
storeTokenInState: (req, token) => {
if (!req.session) {
console.error('(CSRF error) storeTokenInState: Session object not initialized');
return;
}
req.session.csrfToken = token;
},
size: 32,
});
app.get('/csrf-token', (req, res) => {
res.json({
'token': generateToken(res, req),
'token': csrfSyncProtection.generateToken(req),
});
});
app.use(cookieParser(COOKIES_SECRET));
app.use(doubleCsrfProtection);
app.use(csrfSyncProtection.csrfSynchronisedProtection);
} else {
console.warn('\nCSRF protection is disabled. This will make your server vulnerable to CSRF attacks.\n');
app.get('/csrf-token', (req, res) => {