From d20a3bab2acf0f33019d31756cb9e7365850482b Mon Sep 17 00:00:00 2001 From: Panagiotis Papadopoulos Date: Sun, 5 Jan 2025 19:27:11 +0100 Subject: [PATCH] fix(csrfMiddleware): use sessionSecret instead MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit since `cookie-parser` is not configured with a secret, req.secret is not set and hence is `undefined`, which then is used as literal 'undefined' in the hashing function – making it less secure. Instead we can use the existing sessionSecret: the `csrf-csrf` developer confirmed in their Discord chat, that it would be ok to use the same secret here. --- src/routes/routes.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/routes/routes.ts b/src/routes/routes.ts index 63d85183d..f4f9314fe 100644 --- a/src/routes/routes.ts +++ b/src/routes/routes.ts @@ -15,6 +15,7 @@ import rateLimit from "express-rate-limit"; import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js"; import NotFoundError from "../errors/not_found_error.js"; import ValidationError from "../errors/validation_error.js"; +import sessionSecret from "../services/session_secret.js"; // page routes import setupRoute from "./setup.js"; @@ -72,7 +73,7 @@ import etapiSpecRoute from "../etapi/spec.js"; import etapiBackupRoute from "../etapi/backup.js"; const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({ - getSecret: (req) => req.secret, + getSecret: () => sessionSecret, cookieOptions: { path: "", // empty, so cookie is valid only for the current path secure: false,