Replace csurf with csrf-sync

2025-11-01 19:46:01 +01:00 · 2023-01-29 20:31:21 +10:30
parent b00cd8be41
commit 5a994290f2
5 changed files with 22 additions and 5 deletions
--- a/install/package.json
+++ b/install/package.json
@@ -55,7 +55,7 @@
        "cookie-parser": "1.4.6",
        "cron": "2.2.0",
        "cropperjs": "1.5.13",
-        "csurf": "1.11.0",
+        "csrf-sync": "4.0.0",
        "daemon": "1.1.0",
        "diff": "5.1.0",
        "esbuild": "0.17.8",
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@@ -9,6 +9,7 @@ const categories = require('../categories');
 const plugins = require('../plugins');
 const translator = require('../translator');
 const languages = require('../languages');
+const { generateToken } = require('../middleware/csrf');

 const apiController = module.exports;

@@ -64,7 +65,7 @@ apiController.loadConfig = async function (req) {
 		'cache-buster': meta.config['cache-buster'] || '',
 		topicPostSort: meta.config.topicPostSort || 'oldest_to_newest',
 		categoryTopicSort: meta.config.categoryTopicSort || 'newest_to_oldest',
-		csrf_token: req.uid >= 0 && req.csrfToken && req.csrfToken(),
+		csrf_token: req.uid >= 0 ? generateToken(req) : undefined,
 		searchEnabled: plugins.hooks.hasListeners('filter:search.query'),
 		searchDefaultInQuick: meta.config.searchDefaultInQuick || 'titles',
 		bootswatchSkin: meta.config.bootswatchSkin || '',
--- a/src/middleware/csrf.js
+++ b/src/middleware/csrf.js
@@ -0,0 +1,15 @@
+'use strict';
+
+const { csrfSync } = require('csrf-sync');
+
+const {
+	generateToken,
+	csrfSynchronisedProtection,
+} = csrfSync({
+	size: 64
+});
+
+module.exports = {
+	generateToken,
+	csrfSynchronisedProtection,
+};
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -2,7 +2,7 @@

 const async = require('async');
 const path = require('path');
-const csrf = require('csurf');
+const { csrfSynchronisedProtection } = require('./csrf');
 const validator = require('validator');
 const nconf = require('nconf');
 const toobusy = require('toobusy-js');
@@ -34,7 +34,7 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };

-const csrfMiddleware = csrf();
+const csrfMiddleware = csrfSynchronisedProtection;

 middleware.applyCSRF = function (req, res, next) {
 	if (req.uid >= 0) {
--- a/src/routes/authentication.js
+++ b/src/routes/authentication.js
@@ -10,6 +10,7 @@ const meta = require('../meta');
 const controllers = require('../controllers');
 const helpers = require('../controllers/helpers');
 const plugins = require('../plugins');
+const { generateToken } = require('../middleware/csrf');

 let loginStrategies = [];

@@ -108,7 +109,7 @@ Auth.reloadRoutes = async function (params) {
 				};

 				if (strategy.checkState !== false) {
-					req.session.ssoState = req.csrfToken && req.csrfToken();
+					req.session.ssoState = generateToken(req, true);
 					opts.state = req.session.ssoState;
 				}