fix: generate csrf tokens on server (#41968)

Co-authored-by: Ahmad Abdolsaheb <ahmad.abdolsaheb@gmail.com>

api-server/src/server/middleware.json

@@ -35,6 +35,7 @@
     "helmet#noSniff": {},
     "helmet#frameguard": {},
     "./middlewares/csurf": {},
+    "./middlewares/csurf-set-cookie": {},
     "./middlewares/constant-headers": {},
     "./middlewares/csp": {},
     "./middlewares/flash-cheaters": {},
@@ -43,6 +44,7 @@
   "files": {},
   "final:after": {
     "./middlewares/sentry-error-handler": {},
+    "./middlewares/csurf-error-handler": {},
     "./middlewares/error-handlers": {},
     "strong-error-handler": {
       "params": {

api-server/src/server/middlewares/csurf-error-handler.js

@@ -0,0 +1,12 @@
+import { csrfOptions } from './csurf.js';
+
+export default function csrfErrorHandler() {
+  return function (err, req, res, next) {
+    if (err.code === 'EBADCSRFTOKEN') {
+      // use the middleware to generate a token. The client sends this back via
+      // a header
+      res.cookie('csrf_token', req.csrfToken(), csrfOptions);
+    }
+    next(err);
+  };
+}

api-server/src/server/middlewares/csurf-set-cookie.js

@@ -0,0 +1,13 @@
+import { csrfOptions } from './csurf.js';
+
+export default function setCSRFCookie() {
+  return function (req, res, next) {
+    // not all paths require a CSRF token, so the function may not be available.
+    if (req.csrfToken) {
+      // use the middleware to generate a token. The client sends this back via
+      // a header
+      res.cookie('csrf_token', req.csrfToken(), csrfOptions);
+    }
+    next();
+  };
+}

api-server/src/server/middlewares/csurf.js

@@ -1,12 +1,14 @@
 import csurf from 'csurf';
 
+export const csrfOptions = {
+  domain: process.env.COOKIE_DOMAIN || 'localhost',
+  sameSite: 'strict',
+  secure: process.env.FREECODECAMP_NODE_ENV === 'production'
+};
+
 export default function getCsurf() {
   const protection = csurf({
-    cookie: {
-      domain: process.env.COOKIE_DOMAIN || 'localhost',
-      sameSite: 'strict',
-      secure: process.env.FREECODECAMP_NODE_ENV === 'production'
-    }
+    cookie: csrfOptions
   });
   return function csrf(req, res, next) {
     const { path } = req;
@@ -14,8 +16,10 @@ export default function getCsurf() {
       // eslint-disable-next-line max-len
       /^\/hooks\/update-paypal$/.test(path)
     ) {
-      return next();
+      next();
+    } else {
+      // add the middleware
+      protection(req, res, next);
     }
-    return protection(req, res, next);
   };
 }

api-server/src/server/utils/getSetAccessToken.js

@@ -64,6 +64,7 @@ export function removeCookies(req, res) {
   res.clearCookie('access_token', config);
   res.clearCookie('userId', config);
   res.clearCookie('_csrf', config);
+  res.clearCookie('csrf_token', config);
   return;
 }