Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-09-03 22:30:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(csrfMiddleware): use sessionSecret instead

Browse Source 
since `cookie-parser` is not configured with a secret,
req.secret is not set and hence is `undefined`,
which then is used as literal 'undefined' in the hashing function – making it less secure.

Instead we can use the existing sessionSecret:
the `csrf-csrf` developer confirmed in their Discord chat,
that it would be ok to use the same secret here.
This commit is contained in:
Panagiotis Papadopoulos 2025-01-05 19:27:11 +01:00
parent b787610717
commit d20a3bab2a
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/routes/routes.ts
View File

@ -15,6 +15,7 @@ import rateLimit from "express-rate-limit";
import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js"; import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
import NotFoundError from "../errors/not_found_error.js"; import NotFoundError from "../errors/not_found_error.js";
import ValidationError from "../errors/validation_error.js"; import ValidationError from "../errors/validation_error.js";
import sessionSecret from "../services/session_secret.js";
// page routes // page routes
import setupRoute from "./setup.js"; import setupRoute from "./setup.js";
@ -72,7 +73,7 @@ import etapiSpecRoute from "../etapi/spec.js";
import etapiBackupRoute from "../etapi/backup.js"; import etapiBackupRoute from "../etapi/backup.js";
const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({ const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
getSecret: (req) => req.secret, getSecret: () => sessionSecret,
cookieOptions: { cookieOptions: {
path: "", // empty, so cookie is valid only for the current path path: "", // empty, so cookie is valid only for the current path
secure: false, secure: false,