revert: reverts csrf-csrf back to csurf (#1442)

* revert: reverts csrf-csrf back to csurf This reverts csrf-csrf change brought on by `9e3119` in #1393 back to `csurf` that is maintained * fix: type declarations for csurf
2025-03-11 09:33:40 +08:00
parent cdfb30ea16
commit 21ab20bba9
5 changed files with 57 additions and 29 deletions
--- a/server/index.ts
+++ b/server/index.ts
@@ -1,3 +1,4 @@
+import csurf from '@dr.pogodin/csurf';
 import PlexAPI from '@server/api/plexapi';
 import dataSource, { getRepository, isPgsql } from '@server/datasource';
 import DiscoverSlider from '@server/entity/DiscoverSlider';
@@ -28,7 +29,6 @@ import restartFlag from '@server/utils/restartFlag';
 import { getClientIp } from '@supercharge/request-ip';
 import { TypeormStore } from 'connect-typeorm/out';
 import cookieParser from 'cookie-parser';
-import { doubleCsrf } from 'csrf-csrf';
 import type { NextFunction, Request, Response } from 'express';
 import express from 'express';
 import * as OpenApiValidator from 'express-openapi-validator';
@@ -162,23 +162,18 @@ app
      }
    });
    if (settings.network.csrfProtection) {
-      const { doubleCsrfProtection, generateToken } = doubleCsrf({
-        getSecret: () => settings.clientId,
-        cookieName: 'XSRF-TOKEN',
-        cookieOptions: {
-          httpOnly: true,
-          sameSite: 'strict',
-          secure: !dev,
-        },
-        size: 64,
-        ignoredMethods: ['GET', 'HEAD', 'OPTIONS'],
-      });
-
-      server.use(doubleCsrfProtection);
-
+      server.use(
+        csurf({
+          cookie: {
+            httpOnly: true,
+            sameSite: true,
+            secure: !dev,
+          },
+        })
+      );
      server.use((req, res, next) => {
-        res.cookie('XSRF-TOKEN', generateToken(req, res), {
-          sameSite: 'strict',
+        res.cookie('XSRF-TOKEN', req.csrfToken(), {
+          sameSite: true,
          secure: !dev,
        });
        next();
--- a/server/types/custom.d.ts
+++ b/server/types/custom.d.ts
@@ -0,0 +1,4 @@
+declare module '@dr.pogodin/csurf' {
+  import csrf = require('csurf');
+  export = csrf;
+}