yoinkkk/ExcaliDash
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sign CSRF with cookie, Login rate-limit key hardened against identifier-only lockout

Browse Source
This commit is contained in:
Zimeng Xiong
2026-02-07 18:52:00 -08:00
parent fd013de325
commit 70103e18fb
6 changed files with 104 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/server/csrf.test.ts
+41
View File
@@ -0,0 +1,41 @@
import express from "express";
import request from "supertest";
import { describe, expect, it } from "vitest";
import { registerCsrfProtection } from "./csrf";
describe("CSRF token issuance", () => {
it("binds first-issued tokens to cookie client identity", async () => {
const app = express();
app.use(express.json());
registerCsrfProtection({
app,
isAllowedOrigin: () => true,
maxRequestsPerWindow: 100,
});
app.post("/drawings", (_req, res) => {
res.status(200).json({ ok: true });
});
const agent = request.agent(app);
const csrfRes = await agent
.get("/csrf-token")
.set("User-Agent", "csrf-test-agent-a");
expect(csrfRes.status).toBe(200);
const headerName = csrfRes.body.header as string;
const token = csrfRes.body.token as string;
expect(typeof headerName).toBe("string");
expect(typeof token).toBe("string");
const postRes = await agent
.post("/drawings")
.set("User-Agent", "csrf-test-agent-b")
.set(headerName, token)
.send({ name: "test" });
expect(postRes.status).toBe(200);
expect(postRes.body.ok).toBe(true);
});
});
backend/src/server/csrf.ts
+3 -4
View File
@@ -10,7 +10,6 @@ import {
CSRF_CLIENT_COOKIE_NAME,
getCsrfClientCookieValue,
getCsrfValidationClientIds,
getLegacyClientId,
} from "../security/csrfClient";
const CSRF_CLIENT_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 30; // 30 days
@@ -53,7 +52,7 @@ export const registerCsrfProtection = ({
const getClientIdForTokenIssue = (
req: express.Request,
res: express.Response
): { clientId: string; strategy: "cookie" | "legacy-bootstrap" } => {
): { clientId: string; strategy: "cookie" } => {
const existingCookieValue = getCsrfClientCookieValue(req);
if (existingCookieValue) {
return {
@@ -65,8 +64,8 @@ export const registerCsrfProtection = ({
const generatedCookieValue = crypto.randomUUID().replace(/-/g, "");
setCsrfClientCookie(req, res, generatedCookieValue);
return {
clientId: getLegacyClientId(req),
strategy: "legacy-bootstrap",
clientId: `cookie:${generatedCookieValue}`,
strategy: "cookie",
};
};