chore: rollback CSRF token generation (#42082)

This reverts commit e1c00138a9.
2021-05-11 00:27:08 +05:30
parent 94d4b2f553
commit 83943de719
9 changed files with 49 additions and 52 deletions
--- a/api-server/src/server/middleware.json
+++ b/api-server/src/server/middleware.json
@ -35,7 +35,6 @@
    "helmet#noSniff": {},
    "helmet#frameguard": {},
    "./middlewares/csurf": {},
-    "./middlewares/csurf-set-cookie": {},
    "./middlewares/constant-headers": {},
    "./middlewares/csp": {},
    "./middlewares/flash-cheaters": {},
@ -44,7 +43,6 @@
  "files": {},
  "final:after": {
    "./middlewares/sentry-error-handler": {},
-    "./middlewares/csurf-error-handler": {},
    "./middlewares/error-handlers": {},
    "strong-error-handler": {
      "params": {
--- a/api-server/src/server/middlewares/csurf-error-handler.js
+++ b/api-server/src/server/middlewares/csurf-error-handler.js
@ -1,12 +0,0 @@
-import { csrfOptions } from './csurf.js';
-
-export default function csrfErrorHandler() {
-  return function (err, req, res, next) {
-    if (err.code === 'EBADCSRFTOKEN') {
-      // use the middleware to generate a token. The client sends this back via
-      // a header
-      res.cookie('csrf_token', req.csrfToken(), csrfOptions);
-    }
-    next(err);
-  };
-}
--- a/api-server/src/server/middlewares/csurf-set-cookie.js
+++ b/api-server/src/server/middlewares/csurf-set-cookie.js
@ -1,13 +0,0 @@
-import { csrfOptions } from './csurf.js';
-
-export default function setCSRFCookie() {
-  return function (req, res, next) {
-    // not all paths require a CSRF token, so the function may not be available.
-    if (req.csrfToken) {
-      // use the middleware to generate a token. The client sends this back via
-      // a header
-      res.cookie('csrf_token', req.csrfToken(), csrfOptions);
-    }
-    next();
-  };
-}
--- a/api-server/src/server/middlewares/csurf.js
+++ b/api-server/src/server/middlewares/csurf.js
@ -1,14 +1,12 @@
 import csurf from 'csurf';

-export const csrfOptions = {
-  domain: process.env.COOKIE_DOMAIN || 'localhost',
-  sameSite: 'strict',
-  secure: process.env.FREECODECAMP_NODE_ENV === 'production'
-};
-
 export default function getCsurf() {
  const protection = csurf({
-    cookie: csrfOptions
+    cookie: {
+      domain: process.env.COOKIE_DOMAIN || 'localhost',
+      sameSite: 'strict',
+      secure: process.env.FREECODECAMP_NODE_ENV === 'production'
+    }
  });
  return function csrf(req, res, next) {
    const { path } = req;
@ -16,10 +14,8 @@ export default function getCsurf() {
      // eslint-disable-next-line max-len
      /^\/hooks\/update-paypal$/.test(path)
    ) {
-      next();
-    } else {
-      // add the middleware
-      protection(req, res, next);
+      return next();
    }
+    return protection(req, res, next);
  };
 }
--- a/api-server/src/server/utils/getSetAccessToken.js
+++ b/api-server/src/server/utils/getSetAccessToken.js
@ -64,7 +64,6 @@ export function removeCookies(req, res) {
  res.clearCookie('access_token', config);
  res.clearCookie('userId', config);
  res.clearCookie('_csrf', config);
-  res.clearCookie('csrf_token', config);
  return;
 }