refactor: replace csurf with csrf-csrf

I've kept the identical same settings as before – however they are not *ideal* from what I read. More secure settings will need to be tested a bit more thoroughly first and will be a separate PR.
2025-08-10 18:39:22 +08:00 · 2024-12-30 15:31:29 +01:00 · 2024-12-30 15:31:29 +01:00 · b787610717
commit b787610717
parent 5268aaee4f
1 changed files with 10 additions and 5 deletions
--- a/src/routes/routes.ts
+++ b/src/routes/routes.ts
@ -9,7 +9,7 @@ import auth from "../services/auth.js";
 import cls from "../services/cls.js";
 import sql from "../services/sql.js";
 import entityChangesService from "../services/entity_changes.js";
-import csurf from "csurf";
+import { doubleCsrf } from "csrf-csrf";
 import { createPartialContentHandler } from "@triliumnext/express-partial-content";
 import rateLimit from "express-rate-limit";
 import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
@ -71,10 +71,15 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
 import etapiSpecRoute from "../etapi/spec.js";
 import etapiBackupRoute from "../etapi/backup.js";

-const csrfMiddleware = csurf({
-    cookie: {
-        path: "" // empty, so cookie is valid only for the current path
-    }
+const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
+  getSecret: (req) => req.secret,
+  cookieOptions: {
+    path: "",       // empty, so cookie is valid only for the current path
+    secure: false,
+    sameSite: false,
+    httpOnly: false,
+  },
+  cookieName: "_csrf",
 });

 const MAX_ALLOWED_FILE_SIZE_MB = 250;