Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-07-27 10:02:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #960 from pano9000/fix_csrf-csrf_existing_cookie

Browse Source 
fix(csrf): fix handling of existing _csrf cookies
This commit is contained in:
Elian Doran 2025-01-16 21:53:09 +02:00
parent 5ca876ca62
commit 62cda1bd24
No known key found for this signature in database
3 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/routes/csrf_protection.ts Normal file
View File

@ -0,0 +1,15 @@
import { doubleCsrf } from "csrf-csrf";
import sessionSecret from "../services/session_secret.js";
const doubleCsrfUtilities = doubleCsrf({
getSecret: () => sessionSecret,
cookieOptions: {
path: "", // empty, so cookie is valid only for the current path
secure: false,
sameSite: false,
httpOnly: false
},
cookieName: "_csrf"
});
export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;

6
src/routes/index.ts
View File

@ -11,6 +11,8 @@ import protectedSessionService from "../services/protected_session.js";
import packageJson from "../../package.json" with { type: "json" };
import assetPath from "../services/asset_path.js";
import appPath from "../services/app_path.js";
import { generateToken as generateCsrfToken } from "./csrf_protection.js";
import type { Request, Response } from "express";
import type BNote from "../becca/entities/bnote.js";
@ -19,7 +21,9 @@ function index(req: Request, res: Response) {
const view = !utils.isElectron() && req.cookies["trilium-device"] === "mobile" ? "mobile" : "desktop";
const csrfToken = (typeof req.csrfToken === "function") ? req.csrfToken() : undefined;
//'overwrite' set to false (default) => the existing token will be re-used and validated
//'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
const csrfToken = generateCsrfToken(req, res, false, false);
log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
// We force the page to not be cached since on mobile the CSRF token can be

14
src/routes/routes.ts
View File

@ -9,13 +9,12 @@ import auth from "../services/auth.js";
import cls from "../services/cls.js";
import sql from "../services/sql.js";
import entityChangesService from "../services/entity_changes.js";
import { doubleCsrf } from "csrf-csrf";
import { doubleCsrfProtection as csrfMiddleware } from "./csrf_protection.js";
import { createPartialContentHandler } from "@triliumnext/express-partial-content";
import rateLimit from "express-rate-limit";
import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
import NotFoundError from "../errors/not_found_error.js";
import ValidationError from "../errors/validation_error.js";
import sessionSecret from "../services/session_secret.js";
// page routes
import setupRoute from "./setup.js";
@ -72,16 +71,7 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
import etapiSpecRoute from "../etapi/spec.js";
import etapiBackupRoute from "../etapi/backup.js";
const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
getSecret: () => sessionSecret,
cookieOptions: {
path: "", // empty, so cookie is valid only for the current path
secure: false,
sameSite: false,
httpOnly: false
},
cookieName: "_csrf"
});
const MAX_ALLOWED_FILE_SIZE_MB = 250;
const GET = "get",