Skip to content

chore(deps): update dependency csrf-csrf to v4 #1799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
+14 −12
Open

chore(deps): update dependency csrf-csrf to v4 #1799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2c1517d
chore(deps): update dependency csrf-csrf to v4
renovate[bot] May 15, 2025
6f6041e
fix(server): migrate csrf to v4
eliandoran May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/server/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
"cls-hooked": "4.2.2",
"compression": "1.8.0",
"cookie-parser": "1.4.7",
"csrf-csrf": "3.2.2",
"csrf-csrf": "4.0.2",
"dayjs": "1.11.13",
"debounce": "2.2.0",
"debug": "4.4.1",
Expand Down
5 changes: 3 additions & 2 deletions apps/server/src/routes/csrf_protection.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ const doubleCsrfUtilities = doubleCsrf({
sameSite: "strict",
httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
},
cookieName: "_csrf"
cookieName: "_csrf",
getSessionIdentifier: (req) => req.session.id
});

export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;
export const { generateCsrfToken, doubleCsrfProtection } = doubleCsrfUtilities;
9 changes: 5 additions & 4 deletions apps/server/src/routes/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import protectedSessionService from "../services/protected_session.js";
import packageJson from "../../package.json" with { type: "json" };
import assetPath from "../services/asset_path.js";
import appPath from "../services/app_path.js";
import { generateToken as generateCsrfToken } from "./csrf_protection.js";
import { generateCsrfToken } from "./csrf_protection.js";

import type { Request, Response } from "express";
import type BNote from "../becca/entities/bnote.js";
Expand All @@ -19,9 +19,10 @@ function index(req: Request, res: Response) {
const options = optionService.getOptionMap();
const view = getView(req);

//'overwrite' set to false (default) => the existing token will be re-used and validated
//'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
const csrfToken = generateCsrfToken(req, res, false, false);
const csrfToken = generateCsrfToken(req, res, {
overwrite: true,
Copy link
Member

@pano9000 pano9000 May 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setting overwrite: true will cause issues to people that use the Server build and open up the interface on separate browser tabs (not Trilium internal tabs, but actual browser tabs)

it is explained in the packages README as well:

If overwrite is set to true, the function will generate a new token and cookie each time it is invoked. This behavior can potentially lead to certain complications, particularly when multiple tabs are being used to interact with your web application. In such scenarios, the creation of new cookies with every call to the function can disrupt the proper functioning of your web app across different tabs, as the changes might not be synchronised effectively (you would need to write your own synchronisation logic).

I assume you went this way because of the following?
https://github.com/Psifi-Solutions/csrf-csrf/blob/HEAD/UPGRADING.md#zero-downtime-upgrade-zdu

Deleting the existing cookie should be enough to fix that issue though (in theory -> I didn't test locally yet though).

edit:
btw: I was experiencing the exact same issue, back when I introduced csrf-csrf :-)

edit 2:
Alternative idea to fix this:
if we rename the cookie from "_csrf" to anything else, that should also "workaround" the issue.
I was anyways thinking if we maybe wanted to rename it to include "trilium" in the name anyways

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pano9000 , I think changing the name of the cookie is the way to go.

validateOnReuse: false // if validation fails, generate a new token instead of throwing an error
});
log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);

// We force the page to not be cached since on mobile the CSRF token can be
Expand Down
10 changes: 5 additions & 5 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading