Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-08-11 11:02:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
Notes/src/routes/csrf_protection.ts

17 lines
597 B
TypeScript
Raw Normal View History

refactor(csrf): move csrf to own file
2025-01-16 08:25:02 +01:00
import { doubleCsrf } from "csrf-csrf";
import sessionSecret from "../services/session_secret.js";
fix(csrf): add exception for electron for httpOnly cookie it does not seem to like having httpOnly set in electron
2025-01-17 09:23:00 +01:00
import { isElectron } from "../services/utils.js";
refactor(csrf): move csrf to own file
2025-01-16 08:25:02 +01:00
const doubleCsrfUtilities = doubleCsrf({
getSecret: () => sessionSecret,
cookieOptions: {
path: "", // empty, so cookie is valid only for the current path
secure: false,
fix(csrf): set more secure cookieOptions settings - `sameSite` - previous setting inherited from csurf was to simply not set it at all, which makes all browser nag in their dev console output. They will default to "Lax" for these type of cookies in the future. We can even use "strict" here though for our use case: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value - `httpOnly`: should be enabled for the csrf cookie as well for the session cookie it already is enabled. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#httponly
2025-01-16 21:35:50 +01:00
sameSite: "strict",
fix(csrf): add exception for electron for httpOnly cookie it does not seem to like having httpOnly set in electron
2025-01-17 09:23:00 +01:00
httpOnly: !isElectron() // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
refactor(csrf): move csrf to own file
2025-01-16 08:25:02 +01:00
},
cookieName: "_csrf"
});
refactor(csrf): export generateToken utility
2025-01-16 09:23:25 +01:00
export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;
Reference in New Issue Copy Permalink