khanon
25 lines
825 B
TypeScript
25 lines
825 B
TypeScript
import { doubleCsrf } from "csrf-csrf";
|
|
import { v4 as uuid } from "uuid";
|
|
import express from "express";
|
|
|
|
const CSRF_SECRET = uuid();
|
|
|
|
const { generateToken, doubleCsrfProtection } = doubleCsrf({
|
|
getSecret: () => CSRF_SECRET,
|
|
cookieName: "csrf",
|
|
cookieOptions: { sameSite: "strict", path: "/" },
|
|
getTokenFromRequest: (req) => req.body["_csrf"] || req.query["_csrf"],
|
|
});
|
|
|
|
const injectCsrfToken: express.RequestHandler = (req, res, next) => {
|
|
res.locals.csrfToken = generateToken(res, req);
|
|
// force generation of new token on back button
|
|
// TODO: implement session-based CSRF tokens
|
|
res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
|
|
res.setHeader("Pragma", "no-cache");
|
|
res.setHeader("Expires", "0");
|
|
next();
|
|
};
|
|
|
|
export { injectCsrfToken, doubleCsrfProtection as checkCsrfToken };
|