chore(release): 0.0.60

Merge pull request #155 from sasjs/api-access-via-session-authentication
fix: added CSRF check for granting access via session authentication
2025-12-10 19:34:34 +00:00 · 2022-04-30 18:53:44 +00:00 · 2022-04-30 21:44:35 +03:00 · 2022-04-30 06:32:24 +05:00 · 2022-04-30 05:04:27 +05:00
11 changed files with 48 additions and 19 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,14 @@

 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

+### [0.0.60](https://github.com/sasjs/server/compare/v0.0.59...v0.0.60) (2022-04-30)
+
+
+### Bug Fixes
+
+* added CSRF check for granting access via session authentication ([b060ad1](https://github.com/sasjs/server/commit/b060ad1b8e0bbc61c20dc25be553bba4cc4d2716))
+* setting CSRF Token for only rendering SPA ([b4b60c6](https://github.com/sasjs/server/commit/b4b60c69cf67a42f4797f7f1afe68b7a5eec2998))
+
 ### [0.0.59](https://github.com/sasjs/server/compare/v0.0.58...v0.0.59) (2022-04-29)


--- a/api/package-lock.json
+++ b/api/package-lock.json
@@ -17,6 +17,7 @@
        "csurf": "^1.11.0",
        "express": "^4.17.1",
        "express-session": "^1.17.2",
+        "helmet": "^5.0.2",
        "joi": "^17.4.2",
        "jsonwebtoken": "^8.5.1",
        "mongoose": "^6.0.12",
@@ -4817,6 +4818,14 @@
        "node": ">=8"
      }
    },
+    "node_modules/helmet": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-5.0.2.tgz",
+      "integrity": "sha512-QWlwUZZ8BtlvwYVTSDTBChGf8EOcQ2LkGMnQJxSzD1mUu8CCjXJZq/BXP8eWw4kikRnzlhtYo3lCk0ucmYA3Vg==",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
    "node_modules/html-encoding-sniffer": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-2.0.1.tgz",
@@ -14126,6 +14135,11 @@
      "integrity": "sha512-UqBRqi4ju7T+TqGNdqAO0PaSVGsDGJUBQvk9eUWNGRY1CFGDzYhLWoM7JQEemnlvVcv/YEmc2wNW8BC24EnUsw==",
      "dev": true
    },
+    "helmet": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-5.0.2.tgz",
+      "integrity": "sha512-QWlwUZZ8BtlvwYVTSDTBChGf8EOcQ2LkGMnQJxSzD1mUu8CCjXJZq/BXP8eWw4kikRnzlhtYo3lCk0ucmYA3Vg=="
+    },
    "html-encoding-sniffer": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-2.0.1.tgz",
--- a/api/package.json
+++ b/api/package.json
@@ -56,6 +56,7 @@
    "csurf": "^1.11.0",
    "express": "^4.17.1",
    "express-session": "^1.17.2",
+    "helmet": "^5.0.2",
    "joi": "^17.4.2",
    "jsonwebtoken": "^8.5.1",
    "mongoose": "^6.0.12",
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -7,6 +7,7 @@ import morgan from 'morgan'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 import cors from 'cors'
+import helmet from 'helmet'

 import {
  connectDB,
@@ -37,6 +38,11 @@ export const cookieOptions = {
 ***********************************/
 export const csrfProtection = csrf({ cookie: cookieOptions })

+/***********************************
+ *   Handle security and origin    *
+ ***********************************/
+app.use(helmet())
+
 /***********************************
 *         Enabling CORS           *
 ***********************************/
--- a/api/src/middlewares/authenticateToken.ts
+++ b/api/src/middlewares/authenticateToken.ts
@@ -1,11 +1,16 @@
 import jwt from 'jsonwebtoken'
+import { csrfProtection } from '../app'
 import { verifyTokenInDB } from '../utils'

 export const authenticateAccessToken = (req: any, res: any, next: any) => {
+  // if request is coming from web and has valid session
+  // we can validate the request and check for CSRF Token
  if (req.session?.loggedIn) {
    req.user = req.session.user
-    return next()
+
+    return csrfProtection(req, res, next)
  }
+
  authenticateToken(
    req,
    res,
--- a/api/src/routes/web/index.ts
+++ b/api/src/routes/web/index.ts
@@ -4,6 +4,8 @@ import webRouter from './web'

 const router = express.Router()

-router.use('/', csrfProtection, webRouter)
+router.use(csrfProtection)
+
+router.use('/', webRouter)

 export default router
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -6,19 +6,17 @@ import { getWebBuildFolderPath, loginWebValidation } from '../../utils'

 const webRouter = express.Router()

-webRouter.get('/', async (_, res) => {
+webRouter.get('/', async (req, res) => {
  const indexHtmlPath = path.join(getWebBuildFolderPath(), 'index.html')

-  if (await fileExists(indexHtmlPath)) return res.sendFile(indexHtmlPath)
+  if (await fileExists(indexHtmlPath)) {
+    res.cookie('XSRF-TOKEN', req.csrfToken())
+    return res.sendFile(indexHtmlPath)
+  }

  return res.send('Web Build is not present')
 })

-webRouter.get('/form', function (req, res) {
-  // pass the csrfToken to the view
-  res.send({ csrfToken: req.csrfToken() })
-})
-
 webRouter.post('/login', async (req, res) => {
  const { error, value: body } = loginWebValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "server",
-  "version": "0.0.59",
+  "version": "0.0.60",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "server",
-      "version": "0.0.59",
+      "version": "0.0.60",
      "devDependencies": {
        "prettier": "^2.3.1",
        "standard-version": "^9.3.2"
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "server",
-  "version": "0.0.59",
+  "version": "0.0.60",
  "description": "NodeJS wrapper for calling the SAS binary executable",
  "repository": "https://github.com/sasjs/server",
  "scripts": {
--- a/web/src/components/login.tsx
+++ b/web/src/components/login.tsx
@@ -10,13 +10,7 @@ const getAuthCode = async (credentials: any) =>
  axios.post('/SASjsApi/auth/authorize', credentials).then((res) => res.data)

 const login = async (payload: { username: string; password: string }) =>
-  axios.get('/form').then((res1) =>
-    axios
-      .post('/login', payload, {
-        headers: { 'csrf-token': res1.data.csrfToken }
-      })
-      .then((res2) => res2.data)
-  )
+  axios.post('/login', payload).then((res) => res.data)

 const Login = ({ getCodeOnly }: any) => {
  const location = useLocation()
--- a/web/src/context/appContext.tsx
+++ b/web/src/context/appContext.tsx
@@ -52,6 +52,7 @@ const AppContextProvider = (props: { children: ReactNode }) => {
      })
      .catch(() => {
        setLoggedIn(false)
+        axios.get('/') // get CSRF TOKEN
      })
  }, [])
Author	SHA1	Message	Date
Allan Bowe	09611cb416	chore(release): 0.0.60	2022-04-30 18:53:44 +00:00
Allan Bowe	2a9bb6e6b1	Merge pull request #155 from sasjs/api-access-via-session-authentication fix: added CSRF check for granting access via session authentication	2022-04-30 21:44:35 +03:00
Saad Jutt	b4b60c69cf	fix: setting CSRF Token for only rendering SPA	2022-04-30 06:32:24 +05:00
Saad Jutt	b060ad1b8e	fix: added CSRF check for granting access via session authentication	2022-04-30 05:04:27 +05:00