ptb-be/middleware/csrf.js

const { doubleCsrf } = require('csrf-csrf')

module.exports = (ignoredMethods, excludeUrls) => {
  const {
    doubleCsrfProtection,
    validateRequest
  } = doubleCsrf({
    getSecret: () => process.env.SRU51,
    cookieName: '_csrf',
    getTokenFromRequest: (req) => req.body._csrf || req.headers['x-csrf-token'] || req.query._csrf,
    ignoredMethods,
    cookieOptions: {
      sameSite: 'lax',
      path: '/',
      secure: true
    },
    size: 32
  })
  return [
    (req, res, next) => {
      if (excludeUrls?.filter(
        (x) => x === req.originalUrl || (x.test && x.test(req.originalUrl))
      ).length > 0) next()
      else doubleCsrfProtection(req, res, next)
    }, (req, res, next) => {
      if (validateRequest(req)) res.clearCookie('_csrf')
      next()
    }
  ]
}