chore(release): 0.0.63

fix: added CSRF check for granting access via session authentication

.github/workflows/release.yml

@@ -8,10 +8,20 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [lts/*]
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node-version }}
+
       - name: Install Dependencies WEB
         working-directory: ./web
         run: npm ci

CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [0.0.63](https://github.com/sasjs/server/compare/v0.0.62...v0.0.63) (2022-04-30)
+
+### [0.0.62](https://github.com/sasjs/server/compare/v0.0.61...v0.0.62) (2022-04-30)
+
+### [0.0.61](https://github.com/sasjs/server/compare/v0.0.59...v0.0.61) (2022-04-30)
+
+
+### Bug Fixes
+
+* added CSRF check for granting access via session authentication ([b060ad1](https://github.com/sasjs/server/commit/b060ad1b8e0bbc61c20dc25be553bba4cc4d2716))
+* setting CSRF Token for only rendering SPA ([b4b60c6](https://github.com/sasjs/server/commit/b4b60c69cf67a42f4797f7f1afe68b7a5eec2998))
+
+### [0.0.60](https://github.com/sasjs/server/compare/v0.0.59...v0.0.60) (2022-04-30)
+
+
+### Bug Fixes
+
+* added CSRF check for granting access via session authentication ([b060ad1](https://github.com/sasjs/server/commit/b060ad1b8e0bbc61c20dc25be553bba4cc4d2716))
+* setting CSRF Token for only rendering SPA ([b4b60c6](https://github.com/sasjs/server/commit/b4b60c69cf67a42f4797f7f1afe68b7a5eec2998))
+
 ### [0.0.59](https://github.com/sasjs/server/compare/v0.0.58...v0.0.59) (2022-04-29)
 
 

api/package-lock.json

@@ -17,6 +17,7 @@
         "csurf": "^1.11.0",
         "express": "^4.17.1",
         "express-session": "^1.17.2",
+        "helmet": "^5.0.2",
         "joi": "^17.4.2",
         "jsonwebtoken": "^8.5.1",
         "mongoose": "^6.0.12",
@@ -48,7 +49,7 @@
         "jest": "^27.0.6",
         "mongodb-memory-server": "^8.0.0",
         "nodemon": "^2.0.7",
-        "pkg": "5.5.2",
+        "pkg": "5.6.0",
         "prettier": "^2.3.1",
         "rimraf": "^3.0.2",
         "supertest": "^6.1.3",
@@ -4817,6 +4818,14 @@
         "node": ">=8"
       }
     },
+    "node_modules/helmet": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-5.0.2.tgz",
+      "integrity": "sha512-QWlwUZZ8BtlvwYVTSDTBChGf8EOcQ2LkGMnQJxSzD1mUu8CCjXJZq/BXP8eWw4kikRnzlhtYo3lCk0ucmYA3Vg==",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
     "node_modules/html-encoding-sniffer": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-2.0.1.tgz",
@@ -8161,9 +8170,9 @@
       }
     },
     "node_modules/pkg": {
-      "version": "5.5.2",
-      "resolved": "https://registry.npmjs.org/pkg/-/pkg-5.5.2.tgz",
-      "integrity": "sha512-pD0UB2ud01C6pVv2wpGsTYJrXI/bnvGRYvMLd44wFzA1p+A2jrlTGFPAYa7YEYzmitXhx23PqalaG1eUEnSwcA==",
+      "version": "5.6.0",
+      "resolved": "https://registry.npmjs.org/pkg/-/pkg-5.6.0.tgz",
+      "integrity": "sha512-mHrAVSQWmHA41RnUmRpC7pK9lNnMfdA16CF3cqOI22a8LZxOQzF7M8YWtA2nfs+d7I0MTDXOtkDsAsFXeCpYjg==",
       "dev": true,
       "dependencies": {
         "@babel/parser": "7.16.2",
@@ -8175,7 +8184,7 @@
         "into-stream": "^6.0.0",
         "minimist": "^1.2.5",
         "multistream": "^4.1.0",
-        "pkg-fetch": "3.2.6",
+        "pkg-fetch": "3.3.0",
         "prebuild-install": "6.1.4",
         "progress": "^2.0.3",
         "resolve": "^1.20.0",
@@ -8207,9 +8216,9 @@
       }
     },
     "node_modules/pkg-fetch": {
-      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/pkg-fetch/-/pkg-fetch-3.2.6.tgz",
-      "integrity": "sha512-Q8fx6SIT022g0cdSE4Axv/xpfHeltspo2gg1KsWRinLQZOTRRAtOOaEFghA1F3jJ8FVsh8hGrL/Pb6Ea5XHIFw==",
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/pkg-fetch/-/pkg-fetch-3.3.0.tgz",
+      "integrity": "sha512-xJnIZ1KP+8rNN+VLafwu4tEeV4m8IkFBDdCFqmAJz9K1aiXEtbARmdbEe6HlXWGSVuShSHjFXpfkKRkDBQ5kiA==",
       "dev": true,
       "dependencies": {
         "chalk": "^4.1.2",
@@ -8266,9 +8275,9 @@
       }
     },
     "node_modules/pkg-fetch/node_modules/semver": {
-      "version": "7.3.5",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.5.tgz",
-      "integrity": "sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==",
+      "version": "7.3.7",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.7.tgz",
+      "integrity": "sha512-QlYTucUYOews+WeEujDoEGziz4K6c47V/Bd+LjSSYcA94p+DmINdf7ncaUinThfvZyu13lN9OY1XDxt8C0Tw0g==",
       "dev": true,
       "dependencies": {
         "lru-cache": "^6.0.0"
@@ -14126,6 +14135,11 @@
       "integrity": "sha512-UqBRqi4ju7T+TqGNdqAO0PaSVGsDGJUBQvk9eUWNGRY1CFGDzYhLWoM7JQEemnlvVcv/YEmc2wNW8BC24EnUsw==",
       "dev": true
     },
+    "helmet": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-5.0.2.tgz",
+      "integrity": "sha512-QWlwUZZ8BtlvwYVTSDTBChGf8EOcQ2LkGMnQJxSzD1mUu8CCjXJZq/BXP8eWw4kikRnzlhtYo3lCk0ucmYA3Vg=="
+    },
     "html-encoding-sniffer": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-2.0.1.tgz",
@@ -16635,9 +16649,9 @@
       }
     },
     "pkg": {
-      "version": "5.5.2",
-      "resolved": "https://registry.npmjs.org/pkg/-/pkg-5.5.2.tgz",
-      "integrity": "sha512-pD0UB2ud01C6pVv2wpGsTYJrXI/bnvGRYvMLd44wFzA1p+A2jrlTGFPAYa7YEYzmitXhx23PqalaG1eUEnSwcA==",
+      "version": "5.6.0",
+      "resolved": "https://registry.npmjs.org/pkg/-/pkg-5.6.0.tgz",
+      "integrity": "sha512-mHrAVSQWmHA41RnUmRpC7pK9lNnMfdA16CF3cqOI22a8LZxOQzF7M8YWtA2nfs+d7I0MTDXOtkDsAsFXeCpYjg==",
       "dev": true,
       "requires": {
         "@babel/parser": "7.16.2",
@@ -16649,7 +16663,7 @@
         "into-stream": "^6.0.0",
         "minimist": "^1.2.5",
         "multistream": "^4.1.0",
-        "pkg-fetch": "3.2.6",
+        "pkg-fetch": "3.3.0",
         "prebuild-install": "6.1.4",
         "progress": "^2.0.3",
         "resolve": "^1.20.0",
@@ -16706,9 +16720,9 @@
       }
     },
     "pkg-fetch": {
-      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/pkg-fetch/-/pkg-fetch-3.2.6.tgz",
-      "integrity": "sha512-Q8fx6SIT022g0cdSE4Axv/xpfHeltspo2gg1KsWRinLQZOTRRAtOOaEFghA1F3jJ8FVsh8hGrL/Pb6Ea5XHIFw==",
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/pkg-fetch/-/pkg-fetch-3.3.0.tgz",
+      "integrity": "sha512-xJnIZ1KP+8rNN+VLafwu4tEeV4m8IkFBDdCFqmAJz9K1aiXEtbARmdbEe6HlXWGSVuShSHjFXpfkKRkDBQ5kiA==",
       "dev": true,
       "requires": {
         "chalk": "^4.1.2",
@@ -16750,9 +16764,9 @@
           "dev": true
         },
         "semver": {
-          "version": "7.3.5",
-          "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.5.tgz",
-          "integrity": "sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==",
+          "version": "7.3.7",
+          "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.7.tgz",
+          "integrity": "sha512-QlYTucUYOews+WeEujDoEGziz4K6c47V/Bd+LjSSYcA94p+DmINdf7ncaUinThfvZyu13lN9OY1XDxt8C0Tw0g==",
           "dev": true,
           "requires": {
             "lru-cache": "^6.0.0"

api/package.json

@@ -56,6 +56,7 @@
     "csurf": "^1.11.0",
     "express": "^4.17.1",
     "express-session": "^1.17.2",
+    "helmet": "^5.0.2",
     "joi": "^17.4.2",
     "jsonwebtoken": "^8.5.1",
     "mongoose": "^6.0.12",
@@ -84,7 +85,7 @@
     "jest": "^27.0.6",
     "mongodb-memory-server": "^8.0.0",
     "nodemon": "^2.0.7",
-    "pkg": "5.5.2",
+    "pkg": "5.6.0",
     "prettier": "^2.3.1",
     "rimraf": "^3.0.2",
     "supertest": "^6.1.3",

api/src/app.ts

@@ -7,6 +7,7 @@ import morgan from 'morgan'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 import cors from 'cors'
+import helmet from 'helmet'
 
 import {
   connectDB,
@@ -37,6 +38,11 @@ export const cookieOptions = {
  ***********************************/
 export const csrfProtection = csrf({ cookie: cookieOptions })
 
+/***********************************
+ *   Handle security and origin    *
+ ***********************************/
+app.use(helmet())
+
 /***********************************
  *         Enabling CORS           *
  ***********************************/

api/src/middlewares/authenticateToken.ts

@@ -1,11 +1,16 @@
 import jwt from 'jsonwebtoken'
+import { csrfProtection } from '../app'
 import { verifyTokenInDB } from '../utils'
 
 export const authenticateAccessToken = (req: any, res: any, next: any) => {
+  // if request is coming from web and has valid session
+  // we can validate the request and check for CSRF Token
   if (req.session?.loggedIn) {
     req.user = req.session.user
-    return next()
+
+    return csrfProtection(req, res, next)
   }
+
   authenticateToken(
     req,
     res,

api/src/routes/web/index.ts

@@ -4,6 +4,8 @@ import webRouter from './web'
 
 const router = express.Router()
 
-router.use('/', csrfProtection, webRouter)
+router.use(csrfProtection)
+
+router.use('/', webRouter)
 
 export default router

api/src/routes/web/web.ts

@@ -6,19 +6,17 @@ import { getWebBuildFolderPath, loginWebValidation } from '../../utils'
 
 const webRouter = express.Router()
 
-webRouter.get('/', async (_, res) => {
+webRouter.get('/', async (req, res) => {
   const indexHtmlPath = path.join(getWebBuildFolderPath(), 'index.html')
 
-  if (await fileExists(indexHtmlPath)) return res.sendFile(indexHtmlPath)
+  if (await fileExists(indexHtmlPath)) {
+    res.cookie('XSRF-TOKEN', req.csrfToken())
+    return res.sendFile(indexHtmlPath)
+  }
 
   return res.send('Web Build is not present')
 })
 
-webRouter.get('/form', function (req, res) {
-  // pass the csrfToken to the view
-  res.send({ csrfToken: req.csrfToken() })
-})
-
 webRouter.post('/login', async (req, res) => {
   const { error, value: body } = loginWebValidation(req.body)
   if (error) return res.status(400).send(error.details[0].message)

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "server",
-  "version": "0.0.59",
+  "version": "0.0.63",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "server",
-      "version": "0.0.59",
+      "version": "0.0.63",
       "devDependencies": {
         "prettier": "^2.3.1",
         "standard-version": "^9.3.2"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "server",
-  "version": "0.0.59",
+  "version": "0.0.63",
   "description": "NodeJS wrapper for calling the SAS binary executable",
   "repository": "https://github.com/sasjs/server",
   "scripts": {

web/src/components/login.tsx

@@ -10,13 +10,7 @@ const getAuthCode = async (credentials: any) =>
   axios.post('/SASjsApi/auth/authorize', credentials).then((res) => res.data)
 
 const login = async (payload: { username: string; password: string }) =>
-  axios.get('/form').then((res1) =>
-    axios
-      .post('/login', payload, {
-        headers: { 'csrf-token': res1.data.csrfToken }
-      })
-      .then((res2) => res2.data)
-  )
+  axios.post('/login', payload).then((res) => res.data)
 
 const Login = ({ getCodeOnly }: any) => {
   const location = useLocation()

web/src/context/appContext.tsx

@@ -52,6 +52,7 @@ const AppContextProvider = (props: { children: ReactNode }) => {
       })
       .catch(() => {
         setLoggedIn(false)
+        axios.get('/') // get CSRF TOKEN
       })
   }, [])