swaf/src/components/CsrfProtectionComponent.ts

import ApplicationComponent from "../ApplicationComponent";
import {Request, Router} from "express";
import crypto from "crypto";
import {BadRequestError} from "../HttpError";

export default class CsrfProtectionComponent extends ApplicationComponent<void> {
    private static readonly excluders: ((req: Request) => boolean)[] = [];

    public static getCSRFToken(session: Express.Session): string {
        if (typeof session.csrf !== 'string') {
            session.csrf = crypto.randomBytes(64).toString('base64');
        }
        return session.csrf;
    }

    public static addExcluder(excluder: (req: Request) => boolean) {
        this.excluders.push(excluder);
    }

    public async handle(router: Router): Promise<void> {
        router.use(async (req, res, next) => {
            for (const excluder of CsrfProtectionComponent.excluders) {
                if (excluder(req)) return next();
            }

            if (!req.session) {
                throw new Error('Session is unavailable.');
            }

            res.locals.getCSRFToken = () => {
                return CsrfProtectionComponent.getCSRFToken(req.session!);
            };

            if (!['GET', 'HEAD', 'OPTIONS'].find(s => s === req.method)) {
                try {
                    if (!(await req.authGuard.isAuthenticatedViaRequest(req))) {
                        if (req.session.csrf === undefined) {
                            throw new InvalidCsrfTokenError(req.baseUrl, `You weren't assigned any CSRF token.`);
                        } else if (req.body.csrf === undefined) {
                            throw new InvalidCsrfTokenError(req.baseUrl, `You didn't provide any CSRF token.`);
                        } else if (req.session.csrf !== req.body.csrf) {
                            throw new InvalidCsrfTokenError(req.baseUrl, `Tokens don't match.`);
                        }
                    }
                } catch (e) {
                    next(e);
                    return;
                }
            }
            next();
        });
    }
}

class InvalidCsrfTokenError extends BadRequestError {
    constructor(url: string, details: string, cause?: Error) {
        super(
            `Invalid CSRF token`,
            `${details} We can't process this request. Please try again.`,
            url,
            cause
        );
    }

    get name(): string {
        return 'Invalid CSRF Token';
    }

    get errorCode(): number {
        return 401;
    }
}
Add sources 2020-04-22 15:52:17 +02:00			`import ApplicationComponent from "../ApplicationComponent";`
CSRFProtectionComponent: give more room for excluding requests 2020-08-28 16:52:43 +02:00			`import {Request, Router} from "express";`
Add sources 2020-04-22 15:52:17 +02:00			`import crypto from "crypto";`
			`import {BadRequestError} from "../HttpError";`

			`export default class CsrfProtectionComponent extends ApplicationComponent<void> {`
CSRFProtectionComponent: give more room for excluding requests 2020-08-28 16:52:43 +02:00			`private static readonly excluders: ((req: Request) => boolean)[] = [];`
Add CSRF route excluders 2020-07-08 13:28:22 +02:00
Fix some nunjucks globals not properly set and make getCSRFToken dynamic 2020-09-23 16:11:51 +02:00			`public static getCSRFToken(session: Express.Session): string {`
			`if (typeof session.csrf !== 'string') {`
			`session.csrf = crypto.randomBytes(64).toString('base64');`
			`}`
			`return session.csrf;`
			`}`

CSRFProtectionComponent: give more room for excluding requests 2020-08-28 16:52:43 +02:00			`public static addExcluder(excluder: (req: Request) => boolean) {`
			`this.excluders.push(excluder);`
Add CSRF route excluders 2020-07-08 13:28:22 +02:00			`}`

Properly split routing in 2 steps: init, handle 2020-07-11 11:46:16 +02:00			`public async handle(router: Router): Promise<void> {`
Add CsrfProtectionComponent tests and fix missing promise await 2020-07-08 10:49:29 +02:00			`router.use(async (req, res, next) => {`
CSRFProtectionComponent: give more room for excluding requests 2020-08-28 16:52:43 +02:00			`for (const excluder of CsrfProtectionComponent.excluders) {`
			`if (excluder(req)) return next();`
Add CSRF route excluders 2020-07-08 13:28:22 +02:00			`}`

Add sources 2020-04-22 15:52:17 +02:00			`if (!req.session) {`
			`throw new Error('Session is unavailable.');`
			`}`

			`res.locals.getCSRFToken = () => {`
Fix some nunjucks globals not properly set and make getCSRFToken dynamic 2020-09-23 16:11:51 +02:00			`return CsrfProtectionComponent.getCSRFToken(req.session!);`
Add sources 2020-04-22 15:52:17 +02:00			`};`

Add CsrfProtectionComponent tests and fix missing promise await 2020-07-08 10:49:29 +02:00			`if (!['GET', 'HEAD', 'OPTIONS'].find(s => s === req.method)) {`
			`try {`
			`if (!(await req.authGuard.isAuthenticatedViaRequest(req))) {`
			`if (req.session.csrf === undefined) {`
			throw new InvalidCsrfTokenError(req.baseUrl, `You weren't assigned any CSRF token.`);
			`} else if (req.body.csrf === undefined) {`
			throw new InvalidCsrfTokenError(req.baseUrl, `You didn't provide any CSRF token.`);
			`} else if (req.session.csrf !== req.body.csrf) {`
			throw new InvalidCsrfTokenError(req.baseUrl, `Tokens don't match.`);
			`}`
			`}`
			`} catch (e) {`
			`next(e);`
			`return;`
Add sources 2020-04-22 15:52:17 +02:00			`}`
			`}`
			`next();`
			`});`
			`}`
			`}`

			`class InvalidCsrfTokenError extends BadRequestError {`
			`constructor(url: string, details: string, cause?: Error) {`
			`super(`
			`Invalid CSRF token`,
			`${details} We can't process this request. Please try again.`,
			`url,`
			`cause`
			`);`
			`}`

			`get name(): string {`
			`return 'Invalid CSRF Token';`
			`}`

			`get errorCode(): number {`
			`return 401;`
			`}`
			`}`