chore(csrf): removed _csrf completely

api/src/middlewares/csrfProtection.ts

@@ -9,17 +9,17 @@ export const generateCSRFToken = () => csrfTokens.create(secret)
 export const csrfProtection: RequestHandler = (req, res, next) => {
   if (req.method === 'GET') return next()
 
-  // The default value is a function that reads the token from the following locations, in order:
-  // req.body._csrf - typically generated by the body-parser module.
-  // req.query._csrf - a built-in from Express.js to read from the URL query string.
+  // Reads the token from the following locations, in order:
+  // req.body.csrf_token - typically generated by the body-parser module.
+  // req.query.csrf_token - a built-in from Express.js to read from the URL query string.
   // req.headers['csrf-token'] - the CSRF-Token HTTP request header.
   // req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
   // req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
   // req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.
 
   const token =
-    req.body?._csrf ||
-    req.query?._csrf ||
+    req.body?.csrf_token ||
+    req.query?.csrf_token ||
     req.headers['csrf-token'] ||
     req.headers['xsrf-token'] ||
     req.headers['x-csrf-token'] ||

api/src/utils/getPreProgramVariables.ts

@@ -7,7 +7,6 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {
   const { user, accessToken } = req
   const csrfToken = req.headers['x-xsrf-token'] || req.cookies['XSRF-TOKEN']
   const sessionId = req.cookies['connect.sid']
-  const { _csrf } = req.cookies
 
   const httpHeaders: string[] = []
 
@@ -16,7 +15,6 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {
 
   const cookies: string[] = []
   if (sessionId) cookies.push(`connect.sid=${sessionId}`)
-  if (_csrf) cookies.push(`_csrf=${_csrf}`)
 
   if (cookies.length) httpHeaders.push(`cookie: ${cookies.join('; ')}`)