From e3d89ce2a5ca49ff9cb2d4046acfb26733d529c1 Mon Sep 17 00:00:00 2001 From: Panagiotis Papadopoulos Date: Thu, 16 Jan 2025 08:25:02 +0100 Subject: [PATCH 1/3] refactor(csrf): move csrf to own file --- src/routes/csrf_protection.ts | 15 +++++++++++++++ src/routes/routes.ts | 14 ++------------ 2 files changed, 17 insertions(+), 12 deletions(-) create mode 100644 src/routes/csrf_protection.ts diff --git a/src/routes/csrf_protection.ts b/src/routes/csrf_protection.ts new file mode 100644 index 000000000..3f681dd96 --- /dev/null +++ b/src/routes/csrf_protection.ts @@ -0,0 +1,15 @@ +import { doubleCsrf } from "csrf-csrf"; +import sessionSecret from "../services/session_secret.js"; + +const doubleCsrfUtilities = doubleCsrf({ + getSecret: () => sessionSecret, + cookieOptions: { + path: "", // empty, so cookie is valid only for the current path + secure: false, + sameSite: false, + httpOnly: false + }, + cookieName: "_csrf" +}); + +export const { doubleCsrfProtection } = doubleCsrfUtilities; diff --git a/src/routes/routes.ts b/src/routes/routes.ts index d04718cd5..8387227ec 100644 --- a/src/routes/routes.ts +++ b/src/routes/routes.ts @@ -9,13 +9,12 @@ import auth from "../services/auth.js"; import cls from "../services/cls.js"; import sql from "../services/sql.js"; import entityChangesService from "../services/entity_changes.js"; -import { doubleCsrf } from "csrf-csrf"; +import { doubleCsrfProtection as csrfMiddleware } from "./csrf_protection.js"; import { createPartialContentHandler } from "@triliumnext/express-partial-content"; import rateLimit from "express-rate-limit"; import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js"; import NotFoundError from "../errors/not_found_error.js"; import ValidationError from "../errors/validation_error.js"; -import sessionSecret from "../services/session_secret.js"; // page routes import setupRoute from "./setup.js"; @@ -72,16 +71,7 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js"; import etapiSpecRoute from "../etapi/spec.js"; import etapiBackupRoute from "../etapi/backup.js"; -const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({ - getSecret: () => sessionSecret, - cookieOptions: { - path: "", // empty, so cookie is valid only for the current path - secure: false, - sameSite: false, - httpOnly: false - }, - cookieName: "_csrf" -}); + const MAX_ALLOWED_FILE_SIZE_MB = 250; const GET = "get", From 6dd8ab31d56046766642c60893f957cfb3aef7b0 Mon Sep 17 00:00:00 2001 From: Panagiotis Papadopoulos Date: Thu, 16 Jan 2025 09:23:25 +0100 Subject: [PATCH 2/3] refactor(csrf): export generateToken utility --- src/routes/csrf_protection.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/routes/csrf_protection.ts b/src/routes/csrf_protection.ts index 3f681dd96..aadd02100 100644 --- a/src/routes/csrf_protection.ts +++ b/src/routes/csrf_protection.ts @@ -12,4 +12,4 @@ const doubleCsrfUtilities = doubleCsrf({ cookieName: "_csrf" }); -export const { doubleCsrfProtection } = doubleCsrfUtilities; +export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities; From 139bf3dcdfd789492b5579632a161b5bcaa8fdb3 Mon Sep 17 00:00:00 2001 From: Panagiotis Papadopoulos Date: Thu, 16 Jan 2025 20:13:04 +0100 Subject: [PATCH 3/3] fix(csrf): use generateCsrfToken with more "user friendly" settings fixes the case, where existing TriliumNext users, will get a "Invalid CSRF Token" Message, when they have an older _csrf token in their cookies from a previous installation/visit. the settings now will handle these cases in the background automatically. also fixes #950 --- src/routes/index.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/routes/index.ts b/src/routes/index.ts index c91c6ca99..18cbaf081 100644 --- a/src/routes/index.ts +++ b/src/routes/index.ts @@ -11,6 +11,8 @@ import protectedSessionService from "../services/protected_session.js"; import packageJson from "../../package.json" with { type: "json" }; import assetPath from "../services/asset_path.js"; import appPath from "../services/app_path.js"; +import { generateToken as generateCsrfToken } from "./csrf_protection.js"; + import type { Request, Response } from "express"; import type BNote from "../becca/entities/bnote.js"; @@ -19,7 +21,9 @@ function index(req: Request, res: Response) { const view = !utils.isElectron() && req.cookies["trilium-device"] === "mobile" ? "mobile" : "desktop"; - const csrfToken = (typeof req.csrfToken === "function") ? req.csrfToken() : undefined; + //'overwrite' set to false (default) => the existing token will be re-used and validated + //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error + const csrfToken = generateCsrfToken(req, res, false, false); log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`); // We force the page to not be cached since on mobile the CSRF token can be