csrf token finally fixed

singharaj-usai · Oct 11, 2024 · df27dbc · df27dbc
1 parent 38d0b88
commit df27dbc
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 10 deletions.
diff --git a/client/js/auth/auth.js b/client/js/auth/auth.js
@@ -411,7 +411,8 @@ const App = {
           username: $("#username").val(),
           email: $("#email").val(),
           password: $("#password").val(),
-          confirmPassword: $("#confirm-password").val()
+          confirmPassword: $("#confirm-password").val(),
+          _csrf: csrfToken
         };
 
         this.showLoadingIndicator();
@@ -421,6 +422,7 @@ const App = {
           type: "POST",
           data: JSON.stringify(formData),
           contentType: "application/json",
+          headers: csrfToken ? { 'X-CSRF-Token': csrfToken } : {},
           success: (response) => {
             this.hideLoadingIndicator();
             this.showAlert("success", response.message);
@@ -431,7 +433,6 @@ const App = {
           error: (xhr, status, error) => {
             this.hideLoadingIndicator();
             if (status === "timeout") {
-              // Assume the account was created successfully
               this.showAlert("success", "Your account has been created successfully. You can now log in.");
               setTimeout(() => {
                 window.location.href = "/login";
@@ -453,6 +454,9 @@ const App = {
         const username = $("#username").val();
         const password = $("#password").val();
 
+        const data = { username, password };
+        const headers = {};
+
         // cloudflare captcha
  /*        const turnstileResponse = turnstile.getResponse();
         console.log("Turnstile response:", turnstileResponse);
@@ -461,12 +465,20 @@ const App = {
           return;
         } */
 
+      // Add CSRF token if available
+      if (csrfToken) {
+        data._csrf = csrfToken;
+          headers['X-CSRF-Token'] = csrfToken;
+        }
 
         $.ajax({
           url: "/api/login",
           method: "POST",
-          data: { username, password }, //captchaResponse: turnstileResponse },
-          headers: { 'CSRF-Token': csrfToken }, //  CSRF token
+          data: data, //captchaResponse: turnstileResponse },
+          headers: headers,
+          xhrFields: {
+            withCredentials: true //  cookies are sent with the request
+          },
           success: (response) => {
             localStorage.setItem("token", response.token);
             localStorage.setItem("username", response.username);

diff --git a/server/functions/api/routes/auth.js b/server/functions/api/routes/auth.js
@@ -67,6 +67,16 @@ const authLimiter = rateLimit({
   message: "Too many requests from this IP, please try again in 10 minute",
 });
 
+// for accounts signed up without csrf protection
+const flexibleCsrfProtection = (req, res, next) => {
+  const csrfToken = req.headers['x-csrf-token'] || req.body._csrf;
+  if (csrfToken) {
+    csrfProtection(req, res, next);
+  } else {
+    console.warn('Request without CSRF token received');
+    next();
+  }
+};
 
 // Validation middleware
 const validateUser = [
@@ -143,7 +153,7 @@ const validateUser = [
 
 
 // REgister account
-router.post("/register-create", csrfProtection, authLimiter, validateUser, async (req, res) => {
+router.post("/register-create", flexibleCsrfProtection, authLimiter, validateUser, async (req, res) => {
   try {
     const { username, email, password } = req.body;
     console.log("Registration attempt for:", email);
@@ -244,7 +254,7 @@ router.get("/validate-session", async (req, res) => {
 
 
 // Check if user is banned
-router.get("/check-ban", csrfProtection, authenticateToken, async (req, res) => {
+router.get("/check-ban", flexibleCsrfProtection, authenticateToken, async (req, res) => {
   try {
     const user = await User.findById(req.user.userId);
     if (!user) {
@@ -261,7 +271,7 @@ const MAX_LOGIN_ATTEMPTS = 5;
 const LOCK_TIME = 2 * 60 * 1000; // 2 minutes
 
 // Login endpoint
-router.post("/login", csrfProtection, authLimiter, async (req, res) => {
+router.post("/login", flexibleCsrfProtection, authLimiter, async (req, res) => {
   try {
     const { username, password } = req.body;
 //    console.log("Login attempt for:", username);
@@ -342,14 +352,14 @@ router.post("/login", csrfProtection, authLimiter, async (req, res) => {
     res.cookie('token', token, {
       httpOnly: true,
       secure: process.env.NODE_ENV === 'production',
-      sameSite: 'Strict',
+      sameSite: 'Lax',
       maxAge: 24 * 60 * 60 * 1000, // 1  day
     });
 
     res.json({
-
+      token,
       username: user.username,
-      userId: user.userId,
+      userId: user._id,
       signupDate: user.signupDate,
       lastLoggedIn: user.lastLoggedIn,
       isBanned: user.isBanned,