feat(auth): Add optional CSRF protection (#697)

* fix(auth): Missing CSRF middleware Resolves LGTM alert/error for query js/missing-token-validation More info: https://lgtm.com/rules/1506064038914/
2021-01-24 21:27:57 -05:00
parent 4b0241c3b3
commit 6e2589178b
7 changed files with 98 additions and 3 deletions
--- a/server/index.ts
+++ b/server/index.ts
@@ -5,6 +5,7 @@ import { createConnection, getRepository } from 'typeorm';
 import routes from './routes';
 import bodyParser from 'body-parser';
 import cookieParser from 'cookie-parser';
+import csurf from 'csurf';
 import session, { Store } from 'express-session';
 import { TypeormStore } from 'connect-typeorm/out';
 import YAML from 'yamljs';
@@ -78,8 +79,26 @@ app
        next();
      }
    });
+    if (settings.main.csrfProtection) {
+      server.use(
+        csurf({
+          cookie: {
+            httpOnly: true,
+            sameSite: true,
+            secure: !dev,
+          },
+        })
+      );
+      server.use((req, res, next) => {
+        res.cookie('XSRF-TOKEN', req.csrfToken(), {
+          sameSite: true,
+          secure: !dev,
+        });
+        next();
+      });
+    }

-    // Setup sessions
+    // Set up sessions
    const sessionRespository = getRepository(Session);
    server.use(
      '/api',