35 lines
1.0 KiB
JavaScript
35 lines
1.0 KiB
JavaScript
const crypto = require('crypto');
|
|
|
|
// Generate a random token
|
|
const generateToken = () => {
|
|
return crypto.randomBytes(24).toString('hex');
|
|
};
|
|
|
|
// Middleware to protect against CSRF
|
|
const csrfProtection = (req, res, next) => {
|
|
// Skip for GET, HEAD, OPTIONS (safe methods)
|
|
if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {
|
|
return next();
|
|
}
|
|
|
|
// Skip for Login endpoint (initial session creation)
|
|
if (req.path === '/api/login' || req.path === '/api/auth/login') {
|
|
return next();
|
|
}
|
|
|
|
// Get token from header
|
|
const tokenFromHeader = req.headers['x-csrf-token'];
|
|
|
|
// Get token from session
|
|
const tokenFromSession = req.session.csrfToken;
|
|
|
|
if (!tokenFromSession || !tokenFromHeader || tokenFromSession !== tokenFromHeader) {
|
|
console.error('CSRF mismatch:', { session: tokenFromSession, header: tokenFromHeader });
|
|
return res.status(403).json({ success: false, message: 'Invalid CSRF Token' });
|
|
}
|
|
|
|
next();
|
|
};
|
|
|
|
module.exports = { generateToken, csrfProtection };
|