import { RequestHandler } from 'express'
import csrf from 'csrf'

const csrfTokens = new csrf()
const secret = csrfTokens.secretSync()

export const generateCSRFToken = () => csrfTokens.create(secret)

export const csrfProtection: RequestHandler = (req, res, next) => {
  if (req.method === 'GET') return next()

  // Reads the token from the following locations, in order:
  // req.body.csrf_token - typically generated by the body-parser module.
  // req.query.csrf_token - a built-in from Express.js to read from the URL query string.
  // req.headers['csrf-token'] - the CSRF-Token HTTP request header.
  // req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
  // req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
  // req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.

  const token =
    req.body?.csrf_token ||
    req.query?.csrf_token ||
    req.headers['csrf-token'] ||
    req.headers['xsrf-token'] ||
    req.headers['x-csrf-token'] ||
    req.headers['x-xsrf-token']

  if (!csrfTokens.verify(secret, token)) {
    return res.status(400).send('Invalid CSRF token!')
  }
  next()
}