mirror of
https://github.com/SillyTavern/SillyTavern.git
synced 2025-06-05 21:59:27 +02:00
41
server.js
41
server.js
@@ -18,10 +18,9 @@ import { hideBin } from 'yargs/helpers';
|
||||
|
||||
// express/server related library imports
|
||||
import cors from 'cors';
|
||||
import { doubleCsrf } from 'csrf-csrf';
|
||||
import { csrfSync } from 'csrf-sync';
|
||||
import express from 'express';
|
||||
import compression from 'compression';
|
||||
import cookieParser from 'cookie-parser';
|
||||
import cookieSession from 'cookie-session';
|
||||
import multer from 'multer';
|
||||
import responseTime from 'response-time';
|
||||
@@ -40,7 +39,6 @@ util.inspect.defaultOptions.depth = 4;
|
||||
import { loadPlugins } from './src/plugin-loader.js';
|
||||
import {
|
||||
initUserStorage,
|
||||
getCsrfSecret,
|
||||
getCookieSecret,
|
||||
getCookieSessionName,
|
||||
getAllEnabledUsers,
|
||||
@@ -347,8 +345,8 @@ if (enableCorsProxy) {
|
||||
}
|
||||
|
||||
function getSessionCookieAge() {
|
||||
// Defaults to 24 hours in seconds if not set
|
||||
const configValue = getConfigValue('sessionTimeout', 24 * 60 * 60);
|
||||
// Defaults to "no expiration" if not set
|
||||
const configValue = getConfigValue('sessionTimeout', -1);
|
||||
|
||||
// Convert to milliseconds
|
||||
if (configValue > 0) {
|
||||
@@ -377,27 +375,34 @@ app.use(setUserDataMiddleware);
|
||||
|
||||
// CSRF Protection //
|
||||
if (!disableCsrf) {
|
||||
const COOKIES_SECRET = getCookieSecret();
|
||||
|
||||
const { generateToken, doubleCsrfProtection } = doubleCsrf({
|
||||
getSecret: getCsrfSecret,
|
||||
cookieName: 'X-CSRF-Token',
|
||||
cookieOptions: {
|
||||
sameSite: 'strict',
|
||||
secure: false,
|
||||
const csrfSyncProtection = csrfSync({
|
||||
getTokenFromState: (req) => {
|
||||
if (!req.session) {
|
||||
console.error('(CSRF error) getTokenFromState: Session object not initialized');
|
||||
return;
|
||||
}
|
||||
return req.session.csrfToken;
|
||||
},
|
||||
size: 64,
|
||||
getTokenFromRequest: (req) => req.headers['x-csrf-token'],
|
||||
getTokenFromRequest: (req) => {
|
||||
return req.headers['x-csrf-token']?.toString();
|
||||
},
|
||||
storeTokenInState: (req, token) => {
|
||||
if (!req.session) {
|
||||
console.error('(CSRF error) storeTokenInState: Session object not initialized');
|
||||
return;
|
||||
}
|
||||
req.session.csrfToken = token;
|
||||
},
|
||||
size: 32,
|
||||
});
|
||||
|
||||
app.get('/csrf-token', (req, res) => {
|
||||
res.json({
|
||||
'token': generateToken(res, req),
|
||||
'token': csrfSyncProtection.generateToken(req),
|
||||
});
|
||||
});
|
||||
|
||||
app.use(cookieParser(COOKIES_SECRET));
|
||||
app.use(doubleCsrfProtection);
|
||||
app.use(csrfSyncProtection.csrfSynchronisedProtection);
|
||||
} else {
|
||||
console.warn('\nCSRF protection is disabled. This will make your server vulnerable to CSRF attacks.\n');
|
||||
app.get('/csrf-token', (req, res) => {
|
||||
|
Reference in New Issue
Block a user