From 5a994290f26fe635d0dcf63e6233cb62b271afa8 Mon Sep 17 00:00:00 2001 From: psibean Date: Sun, 29 Jan 2023 20:31:21 +1030 Subject: [PATCH] Replace csurf with csrf-sync --- install/package.json | 2 +- src/controllers/api.js | 3 ++- src/middleware/csrf.js | 15 +++++++++++++++ src/middleware/index.js | 4 ++-- src/routes/authentication.js | 3 ++- 5 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 src/middleware/csrf.js diff --git a/install/package.json b/install/package.json index 11d23adc31..d9ba7249ee 100644 --- a/install/package.json +++ b/install/package.json @@ -55,7 +55,7 @@ "cookie-parser": "1.4.6", "cron": "2.2.0", "cropperjs": "1.5.13", - "csurf": "1.11.0", + "csrf-sync": "4.0.0", "daemon": "1.1.0", "diff": "5.1.0", "esbuild": "0.17.8", diff --git a/src/controllers/api.js b/src/controllers/api.js index 7474f6e7a0..5db3b2d9b0 100644 --- a/src/controllers/api.js +++ b/src/controllers/api.js @@ -9,6 +9,7 @@ const categories = require('../categories'); const plugins = require('../plugins'); const translator = require('../translator'); const languages = require('../languages'); +const { generateToken } = require('../middleware/csrf'); const apiController = module.exports; @@ -64,7 +65,7 @@ apiController.loadConfig = async function (req) { 'cache-buster': meta.config['cache-buster'] || '', topicPostSort: meta.config.topicPostSort || 'oldest_to_newest', categoryTopicSort: meta.config.categoryTopicSort || 'newest_to_oldest', - csrf_token: req.uid >= 0 && req.csrfToken && req.csrfToken(), + csrf_token: req.uid >= 0 ? generateToken(req) : undefined, searchEnabled: plugins.hooks.hasListeners('filter:search.query'), searchDefaultInQuick: meta.config.searchDefaultInQuick || 'titles', bootswatchSkin: meta.config.bootswatchSkin || '', diff --git a/src/middleware/csrf.js b/src/middleware/csrf.js new file mode 100644 index 0000000000..4ad824bca1 --- /dev/null +++ b/src/middleware/csrf.js @@ -0,0 +1,15 @@ +'use strict'; + +const { csrfSync } = require('csrf-sync'); + +const { + generateToken, + csrfSynchronisedProtection, +} = csrfSync({ + size: 64 +}); + +module.exports = { + generateToken, + csrfSynchronisedProtection, +}; diff --git a/src/middleware/index.js b/src/middleware/index.js index 96bd3da398..57b6cc1231 100644 --- a/src/middleware/index.js +++ b/src/middleware/index.js @@ -2,7 +2,7 @@ const async = require('async'); const path = require('path'); -const csrf = require('csurf'); +const { csrfSynchronisedProtection } = require('./csrf'); const validator = require('validator'); const nconf = require('nconf'); const toobusy = require('toobusy-js'); @@ -34,7 +34,7 @@ middleware.regexes = { timestampedUpload: /^\d+-.+$/, }; -const csrfMiddleware = csrf(); +const csrfMiddleware = csrfSynchronisedProtection; middleware.applyCSRF = function (req, res, next) { if (req.uid >= 0) { diff --git a/src/routes/authentication.js b/src/routes/authentication.js index 934fdec80e..62c1e15363 100644 --- a/src/routes/authentication.js +++ b/src/routes/authentication.js @@ -10,6 +10,7 @@ const meta = require('../meta'); const controllers = require('../controllers'); const helpers = require('../controllers/helpers'); const plugins = require('../plugins'); +const { generateToken } = require('../middleware/csrf'); let loginStrategies = []; @@ -108,7 +109,7 @@ Auth.reloadRoutes = async function (params) { }; if (strategy.checkState !== false) { - req.session.ssoState = req.csrfToken && req.csrfToken(); + req.session.ssoState = generateToken(req, true); opts.state = req.session.ssoState; }