From 2c1517d2591735481f3ce823933c7138ad471d0c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 15 May 2025 16:12:11 +0000 Subject: [PATCH 1/3] chore(deps): update dependency csrf-csrf to v4 --- apps/server/package.json | 2 +- pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apps/server/package.json b/apps/server/package.json index 21de08d9b1..2ffcef29cd 100644 --- a/apps/server/package.json +++ b/apps/server/package.json @@ -63,7 +63,7 @@ "cls-hooked": "4.2.2", "compression": "1.8.0", "cookie-parser": "1.4.7", - "csrf-csrf": "3.2.2", + "csrf-csrf": "4.0.2", "dayjs": "1.11.13", "debounce": "2.2.0", "debug": "4.4.1", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e29d29f389..982a81bae6 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -621,8 +621,8 @@ importers: specifier: 13.0.0 version: 13.0.0(webpack@5.99.8(@swc/core@1.11.24(@swc/helpers@0.5.17))(esbuild@0.25.4)(webpack-cli@6.0.1)) csrf-csrf: - specifier: 3.2.2 - version: 3.2.2 + specifier: 4.0.2 + version: 4.0.2 dayjs: specifier: 1.11.13 version: 1.11.13 @@ -6947,8 +6947,8 @@ packages: resolution: {integrity: sha512-n63i0lZ0rvQ6FXiGQ+/JFCKAUyPFhLQYJIqKaa+tSJtfKeULF/IDNDAbdnSIxgS4NTuw2b0+lj8LzfITuq+ZxQ==} engines: {node: '>=12.10'} - csrf-csrf@3.2.2: - resolution: {integrity: sha512-E3TgLWX1e+jqigDva+nFItfqa59UZ+gLR56DVNyL/xawBGwQr8o3U4/o1gP9FZmIWLnWCiIl5ni85MghMCNRfg==} + csrf-csrf@4.0.2: + resolution: {integrity: sha512-jWI4uDjZn1EedVSa6WhiL6L6M5XmSemXLgCDGwrdPLtkCThSDDTj4ewokTTqrW8JZYcfJ3oY4LFCtXgQ2XAg5Q==} css-declaration-sorter@6.4.1: resolution: {integrity: sha512-rtdthzxKuyq6IzqX6jEcIzQF/YqccluefyCYheovBOLhFT/drQA9zj/UbRAa9J7C0o6EG6u3E6g+vKkay7/k3g==} @@ -21865,7 +21865,7 @@ snapshots: cross-zip@4.0.1: {} - csrf-csrf@3.2.2: + csrf-csrf@4.0.2: dependencies: http-errors: 2.0.0 From 6f6041ee7b954fe70e5cf0615e04ca6a716d6a44 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Thu, 15 May 2025 20:39:31 +0300 Subject: [PATCH 2/3] fix(server): migrate csrf to v4 --- apps/server/src/routes/csrf_protection.ts | 5 +++-- apps/server/src/routes/index.ts | 9 +++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/apps/server/src/routes/csrf_protection.ts b/apps/server/src/routes/csrf_protection.ts index 391be0aaa7..bd382e3691 100644 --- a/apps/server/src/routes/csrf_protection.ts +++ b/apps/server/src/routes/csrf_protection.ts @@ -10,7 +10,8 @@ const doubleCsrfUtilities = doubleCsrf({ sameSite: "strict", httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966 }, - cookieName: "_csrf" + cookieName: "_csrf", + getSessionIdentifier: (req) => req.session.id }); -export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities; +export const { generateCsrfToken, doubleCsrfProtection } = doubleCsrfUtilities; diff --git a/apps/server/src/routes/index.ts b/apps/server/src/routes/index.ts index 79a40f1864..5a907cee48 100644 --- a/apps/server/src/routes/index.ts +++ b/apps/server/src/routes/index.ts @@ -10,7 +10,7 @@ import protectedSessionService from "../services/protected_session.js"; import packageJson from "../../package.json" with { type: "json" }; import assetPath from "../services/asset_path.js"; import appPath from "../services/app_path.js"; -import { generateToken as generateCsrfToken } from "./csrf_protection.js"; +import { generateCsrfToken } from "./csrf_protection.js"; import type { Request, Response } from "express"; import type BNote from "../becca/entities/bnote.js"; @@ -19,9 +19,10 @@ function index(req: Request, res: Response) { const options = optionService.getOptionMap(); const view = getView(req); - //'overwrite' set to false (default) => the existing token will be re-used and validated - //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error - const csrfToken = generateCsrfToken(req, res, false, false); + const csrfToken = generateCsrfToken(req, res, { + overwrite: true, + validateOnReuse: false // if validation fails, generate a new token instead of throwing an error + }); log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`); // We force the page to not be cached since on mobile the CSRF token can be From f327b54c0e1e62d3e9d8d091f36c7cac0d938e75 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Fri, 16 May 2025 19:45:32 +0300 Subject: [PATCH 3/3] feat(csrf): use different token to avoid issues with old token --- apps/server/src/routes/csrf_protection.ts | 4 +++- apps/server/src/routes/error_handlers.ts | 3 ++- apps/server/src/routes/index.ts | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apps/server/src/routes/csrf_protection.ts b/apps/server/src/routes/csrf_protection.ts index bd382e3691..2b26afbf3e 100644 --- a/apps/server/src/routes/csrf_protection.ts +++ b/apps/server/src/routes/csrf_protection.ts @@ -2,6 +2,8 @@ import { doubleCsrf } from "csrf-csrf"; import sessionSecret from "../services/session_secret.js"; import { isElectron } from "../services/utils.js"; +export const CSRF_COOKIE_NAME = "trilium-csrf"; + const doubleCsrfUtilities = doubleCsrf({ getSecret: () => sessionSecret, cookieOptions: { @@ -10,7 +12,7 @@ const doubleCsrfUtilities = doubleCsrf({ sameSite: "strict", httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966 }, - cookieName: "_csrf", + cookieName: CSRF_COOKIE_NAME, getSessionIdentifier: (req) => req.session.id }); diff --git a/apps/server/src/routes/error_handlers.ts b/apps/server/src/routes/error_handlers.ts index 05b05f6a4a..af58be82f1 100644 --- a/apps/server/src/routes/error_handlers.ts +++ b/apps/server/src/routes/error_handlers.ts @@ -3,6 +3,7 @@ import log from "../services/log.js"; import NotFoundError from "../errors/not_found_error.js"; import ForbiddenError from "../errors/forbidden_error.js"; import HttpError from "../errors/http_error.js"; +import { CSRF_COOKIE_NAME } from "./csrf_protection.js"; function register(app: Application) { @@ -14,7 +15,7 @@ function register(app: Application) { && err.code === "EBADCSRFTOKEN"; if (isCsrfTokenError) { - log.error(`Invalid CSRF token: ${req.headers["x-csrf-token"]}, secret: ${req.cookies["_csrf"]}`); + log.error(`Invalid CSRF token: ${req.headers["x-csrf-token"]}, secret: ${req.cookies[CSRF_COOKIE_NAME]}`); return next(new ForbiddenError("Invalid CSRF token")); } diff --git a/apps/server/src/routes/index.ts b/apps/server/src/routes/index.ts index 5a907cee48..60697b156a 100644 --- a/apps/server/src/routes/index.ts +++ b/apps/server/src/routes/index.ts @@ -20,7 +20,7 @@ function index(req: Request, res: Response) { const view = getView(req); const csrfToken = generateCsrfToken(req, res, { - overwrite: true, + overwrite: false, validateOnReuse: false // if validation fails, generate a new token instead of throwing an error }); log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);