Merge pull request #744 from sasjs/sasjs-server-csrf-cookie

fix(server): csrf cookie is created explicitly
chore: error needs to be more specific
2026-01-10 22:00:05 +00:00 · 2022-08-04 02:03:06 +01:00 · 2022-08-04 05:59:39 +05:00 · 2022-08-04 05:04:43 +05:00
4 changed files with 31 additions and 15 deletions
--- a/src/auth/AuthManager.ts
+++ b/src/auth/AuthManager.ts
@@ -223,9 +223,17 @@ export class AuthManager {
  private async getNewLoginForm() {
    if (this.serverType === ServerType.Sasjs) {
-      // server will be sending CSRF cookie,
+      // server will be sending CSRF token in response,
      // need to save in cookie so that,
      // http client will use it automatically
-      return this.requestClient.get('/', undefined)
+      return this.requestClient.get('/', undefined).then(({ result }) => {
        const cookie =
          /<script>document.cookie = '(XSRF-TOKEN=.*; Max-Age=86400; SameSite=Strict; Path=\/;)'<\/script>/.exec(
            result as string
          )?.[1]
        if (cookie) document.cookie = cookie
      })
    }
    const { result: formResponse } = await this.requestClient.get<string>(
--- a/src/request/RequestClient.ts
+++ b/src/request/RequestClient.ts
@@ -19,7 +19,7 @@ import {
  parseSourceCode,
  createAxiosInstance
 } from '../utils'
-import { InvalidCsrfError } from '../types/errors/InvalidCsrfError'
+import { InvalidSASjsCsrfError } from '../types/errors/InvalidSASjsCsrfError'
 export interface HttpClient {
  get<T>(
@@ -499,12 +499,20 @@ export class RequestClient implements HttpClient {
      throw e
    }
-    if (e instanceof InvalidCsrfError) {
+    if (e instanceof InvalidSASjsCsrfError) {
-      // Fetching root will inject CSRF token in cookie
+      // Fetching root and creating CSRF cookie
      await this.httpClient
        .get('/', {
          withCredentials: true
        })
        .then((response) => {
          const cookie =
            /<script>document.cookie = '(XSRF-TOKEN=.*; Max-Age=86400; SameSite=Strict; Path=\/;)'<\/script>/.exec(
              response.data
            )?.[1]
          if (cookie) document.cookie = cookie
        })
        .catch((err) => {
          throw prefixMessage(err, 'Error while re-fetching CSRF token.')
        })
@@ -615,7 +623,7 @@ export const throwIfError = (response: AxiosResponse) => {
        typeof response.data === 'string' &&
        response.data.toLowerCase() === 'invalid csrf token!'
      ) {
-        throw new InvalidCsrfError()
+        throw new InvalidSASjsCsrfError()
      }
      break
    case 401:
--- a/src/types/errors/InvalidCsrfError.ts
+++ b/src/types/errors/InvalidCsrfError.ts
@@ -1,9 +0,0 @@
 export class InvalidCsrfError extends Error {
  constructor() {
    const message = 'Invalid CSRF token!'
    super(`Auth error: ${message}`)
    this.name = 'InvalidCsrfError'
    Object.setPrototypeOf(this, InvalidCsrfError.prototype)
  }
 }
--- a/src/types/errors/InvalidSASjsCsrfError.ts
+++ b/src/types/errors/InvalidSASjsCsrfError.ts
@@ -0,0 +1,9 @@
 export class InvalidSASjsCsrfError extends Error {
  constructor() {
    const message = 'Invalid CSRF token!'
    super(`Auth error: ${message}`)
    this.name = 'InvalidSASjsCsrfError'
    Object.setPrototypeOf(this, InvalidSASjsCsrfError.prototype)
  }
 }
Author	SHA1	Message	Date
Allan Bowe	92be5a2dca	Merge pull request #744 from sasjs/sasjs-server-csrf-cookie fix(server): csrf cookie is created explicitly	2022-08-04 02:03:06 +01:00
Saad Jutt	f58f2eba97	chore: error needs to be more specific	2022-08-04 05:59:39 +05:00
Saad Jutt	e37bb182c3	fix(server): csrf cookie is created explicitly	2022-08-04 05:04:43 +05:00