freeCodeCamp/api-server/server/middlewares/csurf.js

import csurf from 'csurf';

export default function() {
  const protection = csurf({
    cookie: {
      domain: process.env.COOKIE_DOMAIN || 'localhost',
      sameSite: 'strict',
      secure: true
    }
  });
  return function csrf(req, res, next) {
    const { path } = req;
    if (
      // eslint-disable-next-line max-len
      /^\/hooks\/update-paypal$|^\/hooks\/update-stripe$|^\/donate\/charge-stripe$/.test(
        path
      )
    ) {
      return next();
    }
    return protection(req, res, next);
  };
}
Add csrf protection 2016-05-02 17:22:56 -07:00			`import csurf from 'csurf';`

			`export default function() {`
feat: Use prettier-eslint to format code 2019-02-18 19:32:49 +00:00			`const protection = csurf({`
			`cookie: {`
fix(api): csurf to SameSite 'strict', https only (#39077) Lax and http are probably sufficient, but if the stricter versions work there's no harm using them. 2020-06-16 17:18:48 +02:00			`domain: process.env.COOKIE_DOMAIN \|\| 'localhost',`
			`sameSite: 'strict',`
			`secure: true`
feat(auth): Authorise 'external' requests through JWT (#17224) 2018-05-23 21:10:56 +01:00			`}`
feat: Use prettier-eslint to format code 2019-02-18 19:32:49 +00:00			`});`
Remove csrf from api calls 2016-05-02 21:11:49 -07:00			`return function csrf(req, res, next) {`
feat(api): add and update webhooks routing 2020-03-19 12:20:04 +05:30			`const { path } = req;`
fix(donate): allow calls to the API without auth This is also dependent on 170e3dbf4f65d0592c52e73ba56625c301255149 2020-03-21 01:39:29 +05:30			`if (`
			`// eslint-disable-next-line max-len`
			`/^\/hooks\/update-paypal$\|^\/hooks\/update-stripe$\|^\/donate\/charge-stripe$/.test(`
			`path`
			`)`
			`) {`
Remove csrf from api calls 2016-05-02 21:11:49 -07:00			`return next();`
			`}`
			`return protection(req, res, next);`
			`};`
Add csrf protection 2016-05-02 17:22:56 -07:00			`}`