gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: generate csrf tokens on server not client (#41908)

Browse Source 
Co-authored-by: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com>
This commit is contained in:
Oliver Eyton-Williams
2021-04-30 08:42:26 +02:00
committed by GitHub
parent 968c6f7700
commit 00193858a0
4 changed files with 20 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
api-server/src/server/middlewares/csurf.js
View File

@ -1,12 +1,14 @@
import csurf from 'csurf';
const opts = {
domain: process.env.COOKIE_DOMAIN || 'localhost',
sameSite: 'strict',
secure: process.env.FREECODECAMP_NODE_ENV === 'production'
};
export default function getCsurf() {
const protection = csurf({
cookie: {
domain: process.env.COOKIE_DOMAIN || 'localhost',
sameSite: 'strict',
secure: process.env.FREECODECAMP_NODE_ENV === 'production'
}
cookie: opts
});
return function csrf(req, res, next) {
const { path } = req;
@ -16,8 +18,13 @@ export default function getCsurf() {
path
)
) {
return next();
next();
} else {
// add the middleware
protection(req, res, next);
// use the middleware to generate a token. The client sends this back via
// a header
res.cookie('csrf_token', req.csrfToken(), opts);
}
return protection(req, res, next);
};
}