Merge branch 'main' into issue-139

api/src/app.ts

@@ -1,5 +1,6 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
+import csrf from 'csurf'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'
 import morgan from 'morgan'
@@ -20,8 +21,25 @@ dotenv.config()
 
 const app = express()
 
-const { MODE, CORS, WHITELIST } = process.env
+app.use(cookieParser())
+app.use(morgan('tiny'))
 
+const { MODE, CORS, WHITELIST, PROTOCOL } = process.env
+
+export const cookieOptions = {
+  secure: PROTOCOL === 'https',
+  httpOnly: true,
+  maxAge: 24 * 60 * 60 * 1000 // 24 hours
+}
+
+/***********************************
+ *         CSRF Protection         *
+ ***********************************/
+export const csrfProtection = csrf({ cookie: cookieOptions })
+
+/***********************************
+ *         Enabling CORS           *
+ ***********************************/
 if (MODE?.trim() !== 'server' || CORS?.trim() === 'enable') {
   const whiteList: string[] = []
   WHITELIST?.split(' ')
@@ -36,35 +54,35 @@ if (MODE?.trim() !== 'server' || CORS?.trim() === 'enable') {
   app.use(cors({ credentials: true, origin: whiteList }))
 }
 
+/***********************************
+ *         DB Connection &          *
+ *        Express Sessions          *
+ *        With Mongo Store          *
+ ***********************************/
 if (MODE?.trim() === 'server') {
   // NOTE: when exporting app.js as agent for supertest
   // we should exclude connecting to the real database
   if (process.env.NODE_ENV !== 'test') {
     const clientPromise = connectDB().then((conn) => conn!.getClient() as any)
 
-    const { PROTOCOL } = process.env
-
     app.use(
       session({
         secret: process.env.SESSION_SECRET as string,
         saveUninitialized: false, // don't create session until something stored
         resave: false, //don't save session if unmodified
         store: MongoStore.create({ clientPromise, collectionName: 'sessions' }),
-        cookie: {
-          secure: PROTOCOL === 'https',
-          maxAge: 24 * 60 * 60 * 1000 // 24 hours
-        }
+        cookie: cookieOptions
       })
     )
   }
 }
-
-app.use(cookieParser())
-app.use(morgan('tiny'))
 app.use(express.json({ limit: '100mb' }))
 app.use(express.static(path.join(__dirname, '../public')))
 
 const onError: ErrorRequestHandler = (err, req, res, next) => {
+  if (err.code === 'EBADCSRFTOKEN')
+    return res.status(400).send('Invalid CSRF token!')
+
   console.error(err.stack)
   res.status(500).send('Something broke!')
 }

api/src/routes/setupRoutes.ts

@@ -5,7 +5,6 @@ import apiRouter from './api'
 import appStreamRouter from './appStream'
 
 export const setupRoutes = (app: Express) => {
-  app.use('/', webRouter)
   app.use('/SASjsApi', apiRouter)
 
   app.use('/AppStream', function (req, res, next) {
@@ -13,4 +12,6 @@ export const setupRoutes = (app: Express) => {
     // whatever the current router is
     appStreamRouter(req, res, next)
   })
+
+  app.use('/', webRouter)
 }

api/src/routes/web/index.ts

@@ -1,8 +1,9 @@
 import express from 'express'
+import { csrfProtection } from '../../app'
 import webRouter from './web'
 
 const router = express.Router()
 
-router.use('/', webRouter)
+router.use('/', csrfProtection, webRouter)
 
 export default router

api/src/routes/web/web.ts

@@ -14,6 +14,11 @@ webRouter.get('/', async (_, res) => {
   return res.send('Web Build is not present')
 })
 
+webRouter.get('/form', function (req, res) {
+  // pass the csrfToken to the view
+  res.send({ csrfToken: req.csrfToken() })
+})
+
 webRouter.post('/login', async (req, res) => {
   const { error, value: body } = loginWebValidation(req.body)
   if (error) return res.status(400).send(error.details[0].message)