commit

app.js

@@ -14,7 +14,7 @@ app.use(logger('dev'))
 app.use(express.json())
 app.use(cors({ origin: true, credentials: true }))
 app.use(express.urlencoded({ extended: false }))
-app.use(cookieParser(process.env.SRU51))
+app.use(cookieParser('asdfa7a56sdf586aasdf'))
 // app.use(csrf("XwHsY7X1spE#pdhgdGe9G$Cw&mF7n8=$", ['POST', 'PUT', 'DELETE'], ['/v1/auth/login', /\/v1\/auto\//i]))
 app.use(express.static(path.join(__dirname, 'public')))
 

middleware/csrf.js

@@ -0,0 +1,30 @@
+const { doubleCsrf } = require('csrf-csrf')
+
+module.exports = (ignoredMethods, excludeUrls) => {
+  const {
+    doubleCsrfProtection,
+    validateRequest
+  } = doubleCsrf({
+    getSecret: () => process.env.SRU51,
+    cookieName: '_csrf',
+    getTokenFromRequest: (req) => req.body._csrf || req.headers['x-csrf-token'] || req.query._csrf,
+    ignoredMethods,
+    cookieOptions: {
+      sameSite: 'lax',
+      path: '/',
+      secure: true
+    },
+    size: 32
+  })
+  return [
+    (req, res, next) => {
+      if (excludeUrls?.filter(
+        (x) => x === req.originalUrl || (x.test && x.test(req.originalUrl))
+      ).length > 0) next()
+      else doubleCsrfProtection(req, res, next)
+    }, (req, res, next) => {
+      if (validateRequest(req)) res.clearCookie('_csrf')
+      next()
+    }
+  ]
+}

package.json

@@ -15,6 +15,7 @@
     "cors": "^2.8.5",
     "crypto": "^1.0.1",
     "cryptr": "^6.2.0",
+    "csrf-csrf": "^2.3.0",
     "debug": "~2.6.9",
     "dotenv": "^16.0.0",
     "express": "~4.16.1",
@@ -24,7 +25,6 @@
     "mongoose": "^6.2.7",
     "morgan": "~1.9.1",
     "multer": "^1.4.4",
-    "tiny-csrf": "^1.1.3",
     "xlsx": "^0.18.5"
   },
   "devDependencies": {