Notes/src/routes/csrf_protection.ts

import { doubleCsrf } from "csrf-csrf";
import sessionSecret from "../services/session_secret.js";
import { isElectron } from "../services/utils.js";

const doubleCsrfUtilities = doubleCsrf({
    getSecret: () => sessionSecret,
    cookieOptions: {
        path: "", // empty, so cookie is valid only for the current path
        secure: false,
        sameSite: "strict",
        httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
    },
    cookieName: "_csrf"
});

export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;
refactor(csrf): move csrf to own file 2025-01-16 08:25:02 +01:00			`import { doubleCsrf } from "csrf-csrf";`
			`import sessionSecret from "../services/session_secret.js";`
fix(csrf): add exception for electron for httpOnly cookie it does not seem to like having httpOnly set in electron 2025-01-17 09:23:00 +01:00			`import { isElectron } from "../services/utils.js";`
refactor(csrf): move csrf to own file 2025-01-16 08:25:02 +01:00
			`const doubleCsrfUtilities = doubleCsrf({`
			`getSecret: () => sessionSecret,`
			`cookieOptions: {`
			`path: "", // empty, so cookie is valid only for the current path`
			`secure: false,`
fix(csrf): set more secure cookieOptions settings - `sameSite` - previous setting inherited from csurf was to simply not set it at all, which makes all browser nag in their dev console output. They will default to "Lax" for these type of cookies in the future. We can even use "strict" here though for our use case: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value - `httpOnly`: should be enabled for the csrf cookie as well for the session cookie it already is enabled. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#httponly 2025-01-16 21:35:50 +01:00			`sameSite: "strict",`
refactor(server/utils): isElectron - replace fn with boolean this values cannot change during runtime, => there is no need to have these checks as dynamic function, instead just export the boolean value directly 2025-01-22 18:57:06 +01:00			`httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966`
refactor(csrf): move csrf to own file 2025-01-16 08:25:02 +01:00			`},`
			`cookieName: "_csrf"`
			`});`

refactor(csrf): export generateToken utility 2025-01-16 09:23:25 +01:00			`export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;`