fix: generate csrf tokens on server (#41968)

Co-authored-by: Ahmad Abdolsaheb <ahmad.abdolsaheb@gmail.com>
2021-05-10 18:10:42 +02:00
parent 21dd80c47a
commit e1c00138a9
9 changed files with 52 additions and 49 deletions
--- a/api-server/src/server/middleware.json
+++ b/api-server/src/server/middleware.json
@ -35,6 +35,7 @@
    "helmet#noSniff": {},
    "helmet#frameguard": {},
    "./middlewares/csurf": {},
    "./middlewares/csurf-set-cookie": {},
    "./middlewares/constant-headers": {},
    "./middlewares/csp": {},
    "./middlewares/flash-cheaters": {},
@ -43,6 +44,7 @@
  "files": {},
  "final:after": {
    "./middlewares/sentry-error-handler": {},
    "./middlewares/csurf-error-handler": {},
    "./middlewares/error-handlers": {},
    "strong-error-handler": {
      "params": {
--- a/api-server/src/server/middlewares/csurf-error-handler.js
+++ b/api-server/src/server/middlewares/csurf-error-handler.js
@ -0,0 +1,12 @@
 import { csrfOptions } from './csurf.js';
 export default function csrfErrorHandler() {
  return function (err, req, res, next) {
    if (err.code === 'EBADCSRFTOKEN') {
      // use the middleware to generate a token. The client sends this back via
      // a header
      res.cookie('csrf_token', req.csrfToken(), csrfOptions);
    }
    next(err);
  };
 }
--- a/api-server/src/server/middlewares/csurf-set-cookie.js
+++ b/api-server/src/server/middlewares/csurf-set-cookie.js
@ -0,0 +1,13 @@
 import { csrfOptions } from './csurf.js';
 export default function setCSRFCookie() {
  return function (req, res, next) {
    // not all paths require a CSRF token, so the function may not be available.
    if (req.csrfToken) {
      // use the middleware to generate a token. The client sends this back via
      // a header
      res.cookie('csrf_token', req.csrfToken(), csrfOptions);
    }
    next();
  };
 }
--- a/api-server/src/server/middlewares/csurf.js
+++ b/api-server/src/server/middlewares/csurf.js
@ -1,12 +1,14 @@
 import csurf from 'csurf';
-export default function getCsurf() {
+export const csrfOptions = {
  const protection = csurf({
    cookie: {
  domain: process.env.COOKIE_DOMAIN || 'localhost',
  sameSite: 'strict',
  secure: process.env.FREECODECAMP_NODE_ENV === 'production'
-    }
+};
 export default function getCsurf() {
  const protection = csurf({
    cookie: csrfOptions
  });
  return function csrf(req, res, next) {
    const { path } = req;
@ -14,8 +16,10 @@ export default function getCsurf() {
      // eslint-disable-next-line max-len
      /^\/hooks\/update-paypal$/.test(path)
    ) {
-      return next();
+      next();
    } else {
      // add the middleware
      protection(req, res, next);
    }
    return protection(req, res, next);
  };
 }
--- a/api-server/src/server/utils/getSetAccessToken.js
+++ b/api-server/src/server/utils/getSetAccessToken.js
@ -64,6 +64,7 @@ export function removeCookies(req, res) {
  res.clearCookie('access_token', config);
  res.clearCookie('userId', config);
  res.clearCookie('_csrf', config);
  res.clearCookie('csrf_token', config);
  return;
 }
--- a/client/gatsby-browser.js
+++ b/client/gatsby-browser.js
@ -2,6 +2,7 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Provider } from 'react-redux';
 import { I18nextProvider } from 'react-i18next';
 import cookies from 'browser-cookies';
 import i18n from './i18n/config';
 import { createStore } from './src/redux/createStore';
@ -27,3 +28,9 @@ wrapRootElement.propTypes = {
 export const wrapPageElement = layoutSelector;
 export const disableCorePrefetching = () => true;
 export const onClientEntry = () => {
  // purge the _csrf cookie, rather than relying what the browser decides a
  // Session duration is
  cookies.erase('_csrf');
 };
--- a/client/package-lock.json
+++ b/client/package-lock.json
@ -7131,16 +7131,6 @@
      "resolved": "https://registry.npmjs.org/crypto-random-string/-/crypto-random-string-2.0.0.tgz",
      "integrity": "sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA=="
    },
    "csrf": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
      "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
      "requires": {
        "rndm": "1.2.0",
        "tsscmp": "1.0.6",
        "uid-safe": "2.1.5"
      }
    },
    "css": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/css/-/css-3.0.0.tgz",
@ -20956,11 +20946,6 @@
        "ret": "~0.1.10"
      }
    },
    "random-bytes": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
      "integrity": "sha1-T2ih3Arli9P7lYSMMDJNt11kNgs="
    },
    "randombytes": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
@ -22376,11 +22361,6 @@
        "inherits": "^2.0.1"
      }
    },
    "rndm": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
      "integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w="
    },
    "rst-selector-parser": {
      "version": "2.2.3",
      "resolved": "https://registry.npmjs.org/rst-selector-parser/-/rst-selector-parser-2.2.3.tgz",
@ -24443,11 +24423,6 @@
      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
    },
    "tsscmp": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
      "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA=="
    },
    "tsutils": {
      "version": "3.19.1",
      "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.19.1.tgz",
@ -24547,14 +24522,6 @@
        "typescript-compare": "^0.0.2"
      }
    },
    "uid-safe": {
      "version": "2.1.5",
      "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
      "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
      "requires": {
        "random-bytes": "~1.0.0"
      }
    },
    "unbox-primitive": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.0.0.tgz",
--- a/client/package.json
+++ b/client/package.json
@ -62,7 +62,6 @@
    "buffer": "6.0.3",
    "chai": "4.3.4",
    "crypto-browserify": "3.12.0",
    "csrf": "3.1.0",
    "date-fns": "2.21.3",
    "enzyme": "3.11.0",
    "enzyme-adapter-react-16": "1.15.6",
--- a/client/src/utils/ajax.js
+++ b/client/src/utils/ajax.js
@ -1,22 +1,20 @@
 import envData from '../../../config/env.json';
 import axios from 'axios';
 import Tokens from 'csrf';
 import cookies from 'browser-cookies';
 const { apiLocation } = envData;
 const base = apiLocation;
 const tokens = new Tokens();
 axios.defaults.withCredentials = true;
-// _csrf is passed to the client as a cookie. Tokens are sent back to the server
+// csrf_token is passed to the client as a cookie. The client must send
-// via headers:
+// this back as a header.
 function setCSRFTokens() {
-  const _csrf = typeof window !== 'undefined' && cookies.get('_csrf');
+  const csrfToken = typeof window !== 'undefined' && cookies.get('csrf_token');
-  if (!_csrf) return;
+  if (!csrfToken) return;
-  axios.defaults.headers.post['CSRF-Token'] = tokens.create(_csrf);
+  axios.defaults.headers.post['CSRF-Token'] = csrfToken;
-  axios.defaults.headers.put['CSRF-Token'] = tokens.create(_csrf);
+  axios.defaults.headers.put['CSRF-Token'] = csrfToken;
 }
 function get(path) {