fix: added CSRF check for granting access via session authentication

api/src/app.ts

@@ -7,6 +7,7 @@ import morgan from 'morgan'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 import cors from 'cors'
+import helmet from 'helmet'
 
 import {
   connectDB,
@@ -37,6 +38,11 @@ export const cookieOptions = {
  ***********************************/
 export const csrfProtection = csrf({ cookie: cookieOptions })
 
+/***********************************
+ *   Handle security and origin    *
+ ***********************************/
+app.use(helmet())
+
 /***********************************
  *         Enabling CORS           *
  ***********************************/

api/src/middlewares/authenticateToken.ts

@@ -1,11 +1,16 @@
 import jwt from 'jsonwebtoken'
+import { csrfProtection } from '../app'
 import { verifyTokenInDB } from '../utils'
 
 export const authenticateAccessToken = (req: any, res: any, next: any) => {
+  // if request is coming from web and has valid session
+  // we can validate the request and check for CSRF Token
   if (req.session?.loggedIn) {
     req.user = req.session.user
-    return next()
+
+    return csrfProtection(req, res, next)
   }
+
   authenticateToken(
     req,
     res,

api/src/routes/web/index.ts

@@ -4,6 +4,13 @@ import webRouter from './web'
 
 const router = express.Router()
 
-router.use('/', csrfProtection, webRouter)
+router.use(csrfProtection)
+
+router.use(function (req, res, next) {
+  res.cookie('XSRF-TOKEN', req.csrfToken())
+  next()
+})
+
+router.use('/', webRouter)
 
 export default router

api/src/routes/web/web.ts

@@ -14,11 +14,6 @@ webRouter.get('/', async (_, res) => {
   return res.send('Web Build is not present')
 })
 
-webRouter.get('/form', function (req, res) {
-  // pass the csrfToken to the view
-  res.send({ csrfToken: req.csrfToken() })
-})
-
 webRouter.post('/login', async (req, res) => {
   const { error, value: body } = loginWebValidation(req.body)
   if (error) return res.status(400).send(error.details[0].message)