Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-07-27 10:02:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #864 from pano9000/refactor_replace-csurf

Browse Source 
refactor: replace csurf with csrf-csrf
This commit is contained in:
Elian Doran 2025-01-14 20:33:29 +02:00 committed by GitHub
commit 3f612a1b70
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 45 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
package-lock.json generated
View File

@ -29,7 +29,7 @@
"codemirror": "5.65.18",
"compression": "1.7.5",
"cookie-parser": "1.4.7",
"csurf": "1.11.0",
"csrf-csrf": "3.1.0",
"dayjs": "1.11.13",
"dayjs-plugin-utc": "0.1.2",
"debounce": "2.2.0",
@ -118,7 +118,6 @@
"@types/cls-hooked": "4.3.9",
"@types/compression": "1.7.5",
"@types/cookie-parser": "1.4.8",
"@types/csurf": "1.11.5",
"@types/debounce": "1.2.4",
"@types/ejs": "3.1.5",
"@types/electron-squirrel-startup": "1.0.2",
@ -3806,16 +3805,6 @@
"@types/express": "*"
}
},
"node_modules/@types/csurf": {
"version": "1.11.5",
"resolved": "https://registry.npmjs.org/@types/csurf/-/csurf-1.11.5.tgz",
"integrity": "sha512-5rw87+5YGixyL2W8wblSUl5DSZi5YOlXE6Awwn2ofLvqKr/1LruKffrQipeJKUX44VaxKj8m5es3vfhltJTOoA==",
"dev": true,
"license": "MIT",
"dependencies": {
"@types/express-serve-static-core": "*"
}
},
"node_modules/@types/d3": {
"version": "7.4.3",
"resolved": "https://registry.npmjs.org/@types/d3/-/d3-7.4.3.tgz",
@ -6854,19 +6843,40 @@
"node": ">=12.10"
}
},
"node_modules/csrf": {
"node_modules/csrf-csrf": {
"version": "3.1.0",
"resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
"integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
"resolved": "https://registry.npmjs.org/csrf-csrf/-/csrf-csrf-3.1.0.tgz",
"integrity": "sha512-kZacFfFbdYFxNnFdigRHCzVAq019vJyUUtgPLjCtzh6jMXcWmf8bGUx/hsqtSEMXaNcPm8iXpjC+hW5aeOsRMg==",
"license": "ISC",
"dependencies": {
"rndm": "1.2.0",
"tsscmp": "1.0.6",
"uid-safe": "2.1.5"
"http-errors": "^2.0.0"
}
},
"node_modules/csrf-csrf/node_modules/http-errors": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
"integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==",
"license": "MIT",
"dependencies": {
"depd": "2.0.0",
"inherits": "2.0.4",
"setprototypeof": "1.2.0",
"statuses": "2.0.1",
"toidentifier": "1.0.1"
},
"engines": {
"node": ">= 0.8"
}
},
"node_modules/csrf-csrf/node_modules/toidentifier": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
"integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
"license": "MIT",
"engines": {
"node": ">=0.6"
}
},
"node_modules/css-select": {
"version": "5.1.0",
"resolved": "https://registry.npmjs.org/css-select/-/css-select-5.1.0.tgz",
@ -6908,29 +6918,6 @@
"node": ">=18"
}
},
"node_modules/csurf": {
"version": "1.11.0",
"resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz",
"integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==",
"deprecated": "Please use another csrf package",
"dependencies": {
"cookie": "0.4.0",
"cookie-signature": "1.0.6",
"csrf": "3.1.0",
"http-errors": "~1.7.3"
},
"engines": {
"node": ">= 0.8.0"
}
},
"node_modules/csurf/node_modules/cookie": {
"version": "0.4.0",
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
"integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg==",
"engines": {
"node": ">= 0.6"
}
},
"node_modules/cytoscape": {
"version": "3.30.4",
"resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.30.4.tgz",
@ -10384,42 +10371,6 @@
"dev": true,
"license": "BSD-2-Clause"
},
"node_modules/http-errors": {
"version": "1.7.3",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
"integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
"dependencies": {
"depd": "~1.1.2",
"inherits": "2.0.4",
"setprototypeof": "1.1.1",
"statuses": ">= 1.5.0 < 2",
"toidentifier": "1.0.0"
},
"engines": {
"node": ">= 0.6"
}
},
"node_modules/http-errors/node_modules/depd": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
"integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==",
"engines": {
"node": ">= 0.6"
}
},
"node_modules/http-errors/node_modules/setprototypeof": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz",
"integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw=="
},
"node_modules/http-errors/node_modules/statuses": {
"version": "1.5.0",
"resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
"integrity": "sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==",
"engines": {
"node": ">= 0.6"
}
},
"node_modules/http-proxy-agent": {
"version": "7.0.2",
"resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz",
@ -14832,11 +14783,6 @@
"url": "https://github.com/sponsors/isaacs"
}
},
"node_modules/rndm": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
"integrity": "sha512-fJhQQI5tLrQvYIYFpOnFinzv9dwmR7hRnUz1XqP3OJ1jIweTNOd6aTO4jwQSgcBSFUB+/KHJxuGneime+FdzOw=="
},
"node_modules/roarr": {
"version": "2.15.4",
"resolved": "https://registry.npmjs.org/roarr/-/roarr-2.15.4.tgz",
@ -16360,14 +16306,6 @@
"node": ">=8.0"
}
},
"node_modules/toidentifier": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz",
"integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw==",
"engines": {
"node": ">=0.6"
}
},
"node_modules/token-types": {
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/token-types/-/token-types-5.0.1.tgz",
@ -16556,14 +16494,6 @@
"integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
"license": "0BSD"
},
"node_modules/tsscmp": {
"version": "1.0.6",
"resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
"integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==",
"engines": {
"node": ">=0.6.x"
}
},
"node_modules/tsx": {
"version": "4.19.2",
"resolved": "https://registry.npmjs.org/tsx/-/tsx-4.19.2.tgz",

3
package.json
View File

@ -75,7 +75,7 @@
"codemirror": "5.65.18",
"compression": "1.7.5",
"cookie-parser": "1.4.7",
"csurf": "1.11.0",
"csrf-csrf": "3.1.0",
"dayjs": "1.11.13",
"dayjs-plugin-utc": "0.1.2",
"debounce": "2.2.0",
@ -161,7 +161,6 @@
"@types/cls-hooked": "4.3.9",
"@types/compression": "1.7.5",
"@types/cookie-parser": "1.4.8",
"@types/csurf": "1.11.5",
"@types/debounce": "1.2.4",
"@types/ejs": "3.1.5",
"@types/electron-squirrel-startup": "1.0.2",

8
src/public/app/components/entrypoints.ts
View File

@ -114,11 +114,9 @@ export default class Entrypoints extends Component {
utils.reloadFrontendApp();
}
logoutCommand() {
const $logoutForm = $('<form action="logout" method="POST">').append($(`<input type='_hidden' name="_csrf" value="${glob.csrfToken}"/>`));
$("body").append($logoutForm);
$logoutForm.trigger("submit");
async logoutCommand() {
await server.post("../logout");
window.location.replace(`/login`);
}
backInNoteHistoryCommand() {

2
src/routes/index.ts
View File

@ -19,7 +19,7 @@ function index(req: Request, res: Response) {
const view = !utils.isElectron() && req.cookies["trilium-device"] === "mobile" ? "mobile" : "desktop";
const csrfToken = req.csrfToken();
const csrfToken = (typeof req.csrfToken === "function") ? req.csrfToken() : undefined;
log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
// We force the page to not be cached since on mobile the CSRF token can be

3
src/routes/login.ts
View File

@ -94,8 +94,7 @@ function verifyPassword(guessedPassword: string) {
function logout(req: Request, res: Response) {
req.session.regenerate(() => {
req.session.loggedIn = false;
res.redirect("login");
res.sendStatus(200);
});
}

16
src/routes/routes.ts
View File

@ -9,12 +9,13 @@ import auth from "../services/auth.js";
import cls from "../services/cls.js";
import sql from "../services/sql.js";
import entityChangesService from "../services/entity_changes.js";
import csurf from "csurf";
import { doubleCsrf } from "csrf-csrf";
import { createPartialContentHandler } from "@triliumnext/express-partial-content";
import rateLimit from "express-rate-limit";
import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
import NotFoundError from "../errors/not_found_error.js";
import ValidationError from "../errors/validation_error.js";
import sessionSecret from "../services/session_secret.js";
// page routes
import setupRoute from "./setup.js";
@ -71,10 +72,15 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
import etapiSpecRoute from "../etapi/spec.js";
import etapiBackupRoute from "../etapi/backup.js";
const csrfMiddleware = csurf({
cookie: {
path: "" // empty, so cookie is valid only for the current path
}
const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
getSecret: () => sessionSecret,
cookieOptions: {
path: "", // empty, so cookie is valid only for the current path
secure: false,
sameSite: false,
httpOnly: false
},
cookieName: "_csrf"
});
const MAX_ALLOWED_FILE_SIZE_MB = 250;