Prepare for 0.91.3-beta

Merge pull request #960 from pano9000/fix_csrf-csrf_existing_cookie
fix(csrf): fix handling of existing _csrf cookies
2025-10-31 02:16:05 +01:00 · 2025-01-16 23:05:53 +02:00 · 2025-01-16 21:54:11 +02:00
5 changed files with 25 additions and 16 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "trilium",
-  "version": "0.91.2-beta",
+  "version": "0.91.3-beta",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "trilium",
-      "version": "0.91.2-beta",
+      "version": "0.91.3-beta",
      "license": "AGPL-3.0-only",
      "dependencies": {
        "@braintree/sanitize-url": "7.1.1",
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
  "name": "trilium",
  "productName": "TriliumNext Notes",
  "description": "Build your personal knowledge base with TriliumNext Notes",
-  "version": "0.91.2-beta",
+  "version": "0.91.3-beta",
  "license": "AGPL-3.0-only",
  "main": "./dist/electron-main.js",
  "author": {
--- a/src/routes/csrf_protection.ts
+++ b/src/routes/csrf_protection.ts
@@ -0,0 +1,15 @@
 import { doubleCsrf } from "csrf-csrf";
 import sessionSecret from "../services/session_secret.js";
 const doubleCsrfUtilities = doubleCsrf({
    getSecret: () => sessionSecret,
    cookieOptions: {
        path: "", // empty, so cookie is valid only for the current path
        secure: false,
        sameSite: false,
        httpOnly: false
    },
    cookieName: "_csrf"
 });
 export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@@ -11,6 +11,8 @@ import protectedSessionService from "../services/protected_session.js";
 import packageJson from "../../package.json" with { type: "json" };
 import assetPath from "../services/asset_path.js";
 import appPath from "../services/app_path.js";
 import { generateToken as generateCsrfToken } from "./csrf_protection.js";
 import type { Request, Response } from "express";
 import type BNote from "../becca/entities/bnote.js";
@@ -19,7 +21,9 @@ function index(req: Request, res: Response) {
    const view = !utils.isElectron() && req.cookies["trilium-device"] === "mobile" ? "mobile" : "desktop";
-    const csrfToken = (typeof req.csrfToken === "function") ? req.csrfToken() : undefined;
+    //'overwrite' set to false (default) => the existing token will be re-used and validated
    //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
    const csrfToken = generateCsrfToken(req, res, false, false);
    log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
    // We force the page to not be cached since on mobile the CSRF token can be
--- a/src/routes/routes.ts
+++ b/src/routes/routes.ts
@@ -9,13 +9,12 @@ import auth from "../services/auth.js";
 import cls from "../services/cls.js";
 import sql from "../services/sql.js";
 import entityChangesService from "../services/entity_changes.js";
-import { doubleCsrf } from "csrf-csrf";
+import { doubleCsrfProtection as csrfMiddleware } from "./csrf_protection.js";
 import { createPartialContentHandler } from "@triliumnext/express-partial-content";
 import rateLimit from "express-rate-limit";
 import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
 import NotFoundError from "../errors/not_found_error.js";
 import ValidationError from "../errors/validation_error.js";
 import sessionSecret from "../services/session_secret.js";
 // page routes
 import setupRoute from "./setup.js";
@@ -72,16 +71,7 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
 import etapiSpecRoute from "../etapi/spec.js";
 import etapiBackupRoute from "../etapi/backup.js";
-const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
+
    getSecret: () => sessionSecret,
    cookieOptions: {
        path: "", // empty, so cookie is valid only for the current path
        secure: false,
        sameSite: false,
        httpOnly: false
    },
    cookieName: "_csrf"
 });
 const MAX_ALLOWED_FILE_SIZE_MB = 250;
 const GET = "get",
Author	SHA1	Message	Date
Elian Doran	5dc546605b	Prepare for 0.91.3-beta	2025-01-16 23:05:53 +02:00
Elian Doran	62cda1bd24	Merge pull request #960 from pano9000/fix_csrf-csrf_existing_cookie fix(csrf): fix handling of existing _csrf cookies	2025-01-16 21:54:11 +02:00