Merge remote-tracking branch 'origin/main' into renovate/csrf-csrf-4.x

Merge branch 'develop' into renovate/csrf-csrf-4.x
2025-10-26 15:56:29 +01:00 · 2025-07-26 15:49:50 +03:00 · 2025-06-11 12:44:51 -07:00 · 2025-06-08 14:31:55 +03:00 · 2025-05-17 09:51:02 +03:00 · 2025-05-16 19:45:32 +03:00
5 changed files with 18 additions and 13 deletions
--- a/apps/server/package.json
+++ b/apps/server/package.json
@@ -54,7 +54,7 @@
    "cls-hooked": "4.2.2",
    "compression": "1.8.1",
    "cookie-parser": "1.4.7",
-    "csrf-csrf": "3.2.2",
+    "csrf-csrf": "4.0.2",
    "dayjs": "1.11.13",
    "debounce": "2.2.0",
    "debug": "4.4.1",
--- a/apps/server/src/routes/csrf_protection.ts
+++ b/apps/server/src/routes/csrf_protection.ts
@@ -2,6 +2,8 @@ import { doubleCsrf } from "csrf-csrf";
 import sessionSecret from "../services/session_secret.js";
 import { isElectron } from "../services/utils.js";

+export const CSRF_COOKIE_NAME = "trilium-csrf";
+
 const doubleCsrfUtilities = doubleCsrf({
    getSecret: () => sessionSecret,
    cookieOptions: {
@@ -10,7 +12,8 @@ const doubleCsrfUtilities = doubleCsrf({
        sameSite: "strict",
        httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Trilium/pull/966
    },
-    cookieName: "_csrf"
+    cookieName: CSRF_COOKIE_NAME,
+    getSessionIdentifier: (req) => req.session.id
 });

-export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;
+export const { generateCsrfToken, doubleCsrfProtection } = doubleCsrfUtilities;
--- a/apps/server/src/routes/error_handlers.ts
+++ b/apps/server/src/routes/error_handlers.ts
@@ -3,6 +3,7 @@ import log from "../services/log.js";
 import NotFoundError from "../errors/not_found_error.js";
 import ForbiddenError from "../errors/forbidden_error.js";
 import HttpError from "../errors/http_error.js";
+import { CSRF_COOKIE_NAME } from "./csrf_protection.js";

 function register(app: Application) {

@@ -14,7 +15,7 @@ function register(app: Application) {
            && err.code === "EBADCSRFTOKEN";

        if (isCsrfTokenError) {
-            log.error(`Invalid CSRF token: ${req.headers["x-csrf-token"]}, secret: ${req.cookies["_csrf"]}`);
+            log.error(`Invalid CSRF token: ${req.headers["x-csrf-token"]}, secret: ${req.cookies[CSRF_COOKIE_NAME]}`);
            return next(new ForbiddenError("Invalid CSRF token"));
        }

--- a/apps/server/src/routes/index.ts
+++ b/apps/server/src/routes/index.ts
@@ -10,7 +10,7 @@ import protectedSessionService from "../services/protected_session.js";
 import packageJson from "../../package.json" with { type: "json" };
 import assetPath from "../services/asset_path.js";
 import appPath from "../services/app_path.js";
-import { generateToken as generateCsrfToken } from "./csrf_protection.js";
+import { generateCsrfToken } from "./csrf_protection.js";

 import type { Request, Response } from "express";
 import type BNote from "../becca/entities/bnote.js";
@@ -19,9 +19,10 @@ function index(req: Request, res: Response) {
    const options = optionService.getOptionMap();
    const view = getView(req);

-    //'overwrite' set to false (default) => the existing token will be re-used and validated
-    //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
-    const csrfToken = generateCsrfToken(req, res, false, false);
+    const csrfToken = generateCsrfToken(req, res, {
+        overwrite: false,
+        validateOnReuse: false      // if validation fails, generate a new token instead of throwing an error
+    });
    log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);

    // We force the page to not be cached since on mobile the CSRF token can be
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -625,8 +625,8 @@ importers:
        specifier: 1.4.7
        version: 1.4.7
      csrf-csrf:
-        specifier: 3.2.2
-        version: 3.2.2
+        specifier: 4.0.2
+        version: 4.0.2
      dayjs:
        specifier: 1.11.13
        version: 1.11.13
@@ -7467,8 +7467,8 @@ packages:
    resolution: {integrity: sha512-n63i0lZ0rvQ6FXiGQ+/JFCKAUyPFhLQYJIqKaa+tSJtfKeULF/IDNDAbdnSIxgS4NTuw2b0+lj8LzfITuq+ZxQ==}
    engines: {node: '>=12.10'}

-  csrf-csrf@3.2.2:
-    resolution: {integrity: sha512-E3TgLWX1e+jqigDva+nFItfqa59UZ+gLR56DVNyL/xawBGwQr8o3U4/o1gP9FZmIWLnWCiIl5ni85MghMCNRfg==}
+  csrf-csrf@4.0.2:
+    resolution: {integrity: sha512-jWI4uDjZn1EedVSa6WhiL6L6M5XmSemXLgCDGwrdPLtkCThSDDTj4ewokTTqrW8JZYcfJ3oY4LFCtXgQ2XAg5Q==}

  css-declaration-sorter@6.4.1:
    resolution: {integrity: sha512-rtdthzxKuyq6IzqX6jEcIzQF/YqccluefyCYheovBOLhFT/drQA9zj/UbRAa9J7C0o6EG6u3E6g+vKkay7/k3g==}
@@ -23855,7 +23855,7 @@ snapshots:

  cross-zip@4.0.1: {}

-  csrf-csrf@3.2.2:
+  csrf-csrf@4.0.2:
    dependencies:
      http-errors: 2.0.0
Author	SHA1	Message	Date
Elian Doran	a3a3b3cb5c	Merge remote-tracking branch 'origin/main' into renovate/csrf-csrf-4.x	2025-07-26 15:49:50 +03:00
Jon Fuller	d4aaf4ca9b	Merge branch 'develop' into renovate/csrf-csrf-4.x	2025-06-11 12:44:51 -07:00
Elian Doran	e7450b5143	Merge branch 'develop' into renovate/csrf-csrf-4.x	2025-06-08 14:31:55 +03:00
Elian Doran	fd90454eb6	Merge branch 'develop' into renovate/csrf-csrf-4.x	2025-05-17 09:51:02 +03:00
Elian Doran	f327b54c0e	feat(csrf): use different token to avoid issues with old token	2025-05-16 19:45:32 +03:00
Elian Doran	f38105ef05	Merge remote-tracking branch 'origin/develop' into renovate/csrf-csrf-4.x	2025-05-16 19:34:19 +03:00
Elian Doran	6f6041ee7b	fix(server): migrate csrf to v4	2025-05-15 20:39:31 +03:00
renovate[bot]	2c1517d259	chore(deps): update dependency csrf-csrf to v4	2025-05-15 16:12:11 +00:00