yoinkkk/ExcaliDash
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore: clean up CSRF implementation

Browse Source 
- Remove unused generateCsrfToken export from security.ts
  - Remove redundant /csrf-token path check (GET already exempt)
  - Restore defineConfig wrapper in vitest.config.ts for type safety
This commit is contained in:
Zimeng Xiong
2026-01-14 08:21:49 -08:00
parent 8a78b2bb2e
commit e4e48b13d8
4 changed files with 12 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/index.ts
+1 -5
View File
@@ -381,16 +381,12 @@ const csrfProtectionMiddleware = (
next: express.NextFunction
) => {
// Skip CSRF validation for safe methods (GET, HEAD, OPTIONS)
// Note: /csrf-token is a GET endpoint, so it's automatically exempt
const safeMethods = ["GET", "HEAD", "OPTIONS"];
if (safeMethods.includes(req.method)) {
return next();
}
// Skip CSRF for the CSRF token endpoint itself
if (req.path === "/csrf-token") {
return next();
}
// Origin/Referer check for defense in depth
const origin = req.headers["origin"];
const referer = req.headers["referer"];
backend/src/security.ts
+1 -8
View File
@@ -605,14 +605,7 @@ const signCsrfToken = (clientId: string, payload: CsrfTokenPayload): Buffer => {
};
/**
* Generate a cryptographically secure CSRF token
*/
export const generateCsrfToken = (): string => {
return crypto.randomBytes(CSRF_TOKEN_LENGTH).toString("hex");
};
/**
* Create and store a new CSRF token for a client
* Create a new CSRF token for a client
* Returns the token to be sent to the client
*/
export const createCsrfToken = (clientId: string): string => {