Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update csrf strategy #381

Merged
merged 2 commits into from
Dec 1, 2023
Merged

Update csrf strategy #381

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
18f43b9
feat: csrf is generated once per user session instead of once per req…
rdubigny Dec 1, 2023
b0831c9
feat: remove unused param
rdubigny Dec 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/managers/session.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ export const createLoggedInSession = async (
): Promise<null> => {
// we store old session value to pass it to the new logged-in session
// email will not be passed to the new session as it is not useful within logged session
// csrfToken should not be passed to the new session for security reasons
const {
interactionId,
mustReturnOneOrganizationInPayload,
Expand Down
39 changes: 8 additions & 31 deletions src/middlewares/csrf-protection.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,13 @@
import { csrfSync } from 'csrf-sync';
import { NextFunction, Request, Response } from 'express';
import * as Sentry from '@sentry/node';
import { Request } from 'express';

const { generateToken, invalidCsrfTokenError, isRequestValid, revokeToken } =
csrfSync({
getTokenFromRequest: (req: Request) => {
return req.body['_csrf'];
},
});
const { generateToken, csrfSynchronisedProtection } = csrfSync({
getTokenFromRequest: (req: Request) => {
return req.body['_csrf'];
},
});

export const csrfProtectionMiddleware = (
req: Request,
res: Response,
next: NextFunction
) => {
const ignoredMethods = ['GET', 'HEAD', 'OPTIONS'];
const ignoredMethodsSet = new Set(ignoredMethods);
if (ignoredMethodsSet.has(req.method)) {
return next();
}

const isCsrfValid = isRequestValid(req);
// Csrf token cannot be re-used
revokeToken(req);
if (!isCsrfValid) {
const err = invalidCsrfTokenError;
Sentry.captureException(err);
return next(err);
}

next();
};
export const csrfProtectionMiddleware = csrfSynchronisedProtection;

// Csrf tokens are new for each requests
export const csrfToken = (req: Request) => generateToken(req, true);
export const csrfToken = (req: Request) => generateToken(req);
7 changes: 1 addition & 6 deletions src/views/user/unable-to-auto-join-organization.ejs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,7 @@
<div class="fr-card__desc">
<br />
<p>
⏱️ Notre équipe est en train de vous rattacher à
<% if (locals.libelle) { %>
l’organisation <%= libelle %>.
<% } else { %>
cette organisation.
<% } %>
⏱️ Notre équipe est en train de vous rattacher à cette organisation.
</p>
<p>
Vous recevrez un email pour accéder à votre démarche dès que nous aurons terminé.
Expand Down