sasjs/server
1
0
Fork 0
mirror of https://github.com/sasjs/server.git synced 2026-01-08 15:00:05 +00:00
Code Issues Projects Releases Wiki Activity

fix: csrf package is changed to pillarjs-csrf

Browse Source
This commit is contained in:
Saad Jutt
2022-09-29 20:33:30 +05:00
parent 375f924f45
commit fe3e5088f8
13 changed files with 108 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
api/src/middlewares/authenticateToken.ts
View File

@@ -1,6 +1,6 @@
import { RequestHandler, Request, Response, NextFunction } from 'express'
import jwt from 'jsonwebtoken'
import { csrfProtection } from '../app'
import { csrfProtection } from './'
import {
fetchLatestAutoExec,
ModeType,

4
api/src/middlewares/authorize.ts
View File

@@ -10,9 +10,7 @@ import { getPath, isPublicRoute } from '../utils'
export const authorize: RequestHandler = async (req, res, next) => {
const { user } = req
if (!user) {
return res.sendStatus(401)
}
if (!user) return res.sendStatus(401)
// no need to check for permissions when user is admin
if (user.isAdmin) return next()

32
api/src/middlewares/csrfProtection.ts Normal file
View File

@@ -0,0 +1,32 @@
import { RequestHandler } from 'express'
import csrf from 'csrf'
const csrfTokens = new csrf()
const secret = csrfTokens.secretSync()
export const generateCSRFToken = () => csrfTokens.create(secret)
export const csrfProtection: RequestHandler = (req, res, next) => {
if (req.method === 'GET') return next()
// The default value is a function that reads the token from the following locations, in order:
// req.body._csrf - typically generated by the body-parser module.
// req.query._csrf - a built-in from Express.js to read from the URL query string.
// req.headers['csrf-token'] - the CSRF-Token HTTP request header.
// req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
// req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
// req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.
const token =
req.body?._csrf ||
req.query?._csrf ||
req.headers['csrf-token'] ||
req.headers['xsrf-token'] ||
req.headers['x-csrf-token'] ||
req.headers['x-xsrf-token']
if (!csrfTokens.verify(secret, token)) {
return res.status(400).send('Invalid CSRF token!')
}
next()
}

3
api/src/middlewares/index.ts
View File

@@ -1,5 +1,6 @@
export * from './authenticateToken'
export * from './authorize'
export * from './csrfProtection'
export * from './desktop'
export * from './verifyAdmin'
export * from './verifyAdminIfNeeded'
export * from './authorize'