Replace CSRF middleware

Closes #3349
2025-06-05 21:59:27 +02:00 · 2025-01-25 16:56:11 +02:00
parent 0937f44f39
commit 5ff402aabf
5 changed files with 31 additions and 25 deletions
--- a/server.js
+++ b/server.js
@@ -18,10 +18,9 @@ import { hideBin } from 'yargs/helpers';

 // express/server related library imports
 import cors from 'cors';
-import { doubleCsrf } from 'csrf-csrf';
+import { csrfSync } from 'csrf-sync';
 import express from 'express';
 import compression from 'compression';
-import cookieParser from 'cookie-parser';
 import cookieSession from 'cookie-session';
 import multer from 'multer';
 import responseTime from 'response-time';
@@ -40,7 +39,6 @@ util.inspect.defaultOptions.depth = 4;
 import { loadPlugins } from './src/plugin-loader.js';
 import {
    initUserStorage,
-    getCsrfSecret,
    getCookieSecret,
    getCookieSessionName,
    getAllEnabledUsers,
@@ -347,8 +345,8 @@ if (enableCorsProxy) {
 }

 function getSessionCookieAge() {
-    // Defaults to 24 hours in seconds if not set
-    const configValue = getConfigValue('sessionTimeout', 24 * 60 * 60);
+    // Defaults to "no expiration" if not set
+    const configValue = getConfigValue('sessionTimeout', -1);

    // Convert to milliseconds
    if (configValue > 0) {
@@ -377,27 +375,34 @@ app.use(setUserDataMiddleware);

 // CSRF Protection //
 if (!disableCsrf) {
-    const COOKIES_SECRET = getCookieSecret();
-
-    const { generateToken, doubleCsrfProtection } = doubleCsrf({
-        getSecret: getCsrfSecret,
-        cookieName: 'X-CSRF-Token',
-        cookieOptions: {
-            sameSite: 'strict',
-            secure: false,
+    const csrfSyncProtection = csrfSync({
+        getTokenFromState: (req) => {
+            if (!req.session) {
+                console.error('(CSRF error) getTokenFromState: Session object not initialized');
+                return;
+            }
+            return req.session.csrfToken;
        },
-        size: 64,
-        getTokenFromRequest: (req) => req.headers['x-csrf-token'],
+        getTokenFromRequest: (req) => {
+            return req.headers['x-csrf-token']?.toString();
+        },
+        storeTokenInState: (req, token) => {
+            if (!req.session) {
+                console.error('(CSRF error) storeTokenInState: Session object not initialized');
+                return;
+            }
+            req.session.csrfToken = token;
+        },
+        size: 32,
    });

    app.get('/csrf-token', (req, res) => {
        res.json({
-            'token': generateToken(res, req),
+            'token': csrfSyncProtection.generateToken(req),
        });
    });

-    app.use(cookieParser(COOKIES_SECRET));
-    app.use(doubleCsrfProtection);
+    app.use(csrfSyncProtection.csrfSynchronisedProtection);
 } else {
    console.warn('\nCSRF protection is disabled. This will make your server vulnerable to CSRF attacks.\n');
    app.get('/csrf-token', (req, res) => {