Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-09-01 04:12:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(csrfMiddleware): use sessionSecret instead

Browse Source 
since `cookie-parser` is not configured with a secret,
req.secret is not set and hence is `undefined`,
which then is used as literal 'undefined' in the hashing function – making it less secure.

Instead we can use the existing sessionSecret:
the `csrf-csrf` developer confirmed in their Discord chat,
that it would be ok to use the same secret here.
This commit is contained in:
Panagiotis Papadopoulos 2025-01-05 19:27:11 +01:00
parent b787610717
commit d20a3bab2a
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/routes/routes.ts
View File

@ -15,6 +15,7 @@ import rateLimit from "express-rate-limit";
import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
import NotFoundError from "../errors/not_found_error.js";
import ValidationError from "../errors/validation_error.js";
import sessionSecret from "../services/session_secret.js";
// page routes
import setupRoute from "./setup.js";
@ -72,7 +73,7 @@ import etapiSpecRoute from "../etapi/spec.js";
import etapiBackupRoute from "../etapi/backup.js";
const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
getSecret: (req) => req.secret,
getSecret: () => sessionSecret,
cookieOptions: {
path: "", // empty, so cookie is valid only for the current path
secure: false,