From 38d0b882b056ef6414b2c3fab6e026d502836ae4 Mon Sep 17 00:00:00 2001 From: singharaj usai Date: Fri, 11 Oct 2024 00:03:37 -0400 Subject: [PATCH] csrf token --- client/js/auth/auth.js | 7 +++++++ server/functions/api/routes/auth.js | 16 +++++++++++----- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/client/js/auth/auth.js b/client/js/auth/auth.js index 546eb25..aa39261 100644 --- a/client/js/auth/auth.js +++ b/client/js/auth/auth.js @@ -4,6 +4,12 @@ $.getScript('/js/version.js', function() { VERSION = window.VERSION; }); +let csrfToken = ''; + +$.get('/api/auth/csrf-token', function(data) { + csrfToken = data.csrfToken; +}); + // Main application object const App = { // Configuration @@ -460,6 +466,7 @@ const App = { url: "/api/login", method: "POST", data: { username, password }, //captchaResponse: turnstileResponse }, + headers: { 'CSRF-Token': csrfToken }, // CSRF token success: (response) => { localStorage.setItem("token", response.token); localStorage.setItem("username", response.username); diff --git a/server/functions/api/routes/auth.js b/server/functions/api/routes/auth.js index 09dc3a8..718657e 100644 --- a/server/functions/api/routes/auth.js +++ b/server/functions/api/routes/auth.js @@ -3,7 +3,9 @@ const bcrypt = require("bcrypt"); const { body, validationResult } = require("express-validator"); const User = require("../models/User"); const moment = require("moment-timezone"); -//const csrf = require("csurf"); +const csrf = require("csurf"); +const csrfProtection = csrf({ cookie: true }); + const requestIp = require('request-ip'); const crypto = require('crypto'); const jwt = require('jsonwebtoken'); @@ -141,7 +143,7 @@ const validateUser = [ // REgister account -router.post("/register-create", authLimiter, validateUser, async (req, res) => { +router.post("/register-create", csrfProtection, authLimiter, validateUser, async (req, res) => { try { const { username, email, password } = req.body; console.log("Registration attempt for:", email); @@ -242,7 +244,7 @@ router.get("/validate-session", async (req, res) => { // Check if user is banned -router.get("/check-ban", authenticateToken, async (req, res) => { +router.get("/check-ban", csrfProtection, authenticateToken, async (req, res) => { try { const user = await User.findById(req.user.userId); if (!user) { @@ -259,7 +261,7 @@ const MAX_LOGIN_ATTEMPTS = 5; const LOCK_TIME = 2 * 60 * 1000; // 2 minutes // Login endpoint -router.post("/login", authLimiter, async (req, res) => { +router.post("/login", csrfProtection, authLimiter, async (req, res) => { try { const { username, password } = req.body; // console.log("Login attempt for:", username); @@ -360,7 +362,7 @@ router.post("/login", authLimiter, async (req, res) => { }); // Logout endpoint -router.post("/logout", async (req, res) => { +router.post("/logout", csrfProtection, async (req, res) => { if (req.user) { await User.findByIdAndUpdate(req.user._id, { isOnline: false }); } @@ -372,6 +374,10 @@ router.post("/logout", async (req, res) => { }); }); +router.get("/csrf-token", csrfProtection, (req, res) => { + res.json({ csrfToken: req.csrfToken() }); +}); + /* router.post("/claim-daily-currency", authenticateToken, async (req, res) => {