calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-11 04:12:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/fosrl/pangolin

Browse Source
This commit is contained in:
Milo Schwartz
2024-12-26 11:45:39 -05:00
parent af0bc3b2c5 34e3e7c819
commit d2e4cd07ca
12 changed files with 52 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
server/apiServer.ts
View File

@@ -6,11 +6,12 @@ import logger from "@server/logger";
import {
errorHandlerMiddleware,
notFoundMiddleware,
rateLimitMiddleware,
rateLimitMiddleware
} from "@server/middlewares";
import { authenticated, unauthenticated } from "@server/routers/external";
import { router as wsRouter, handleWSUpgrade } from "@server/routers/ws";
import { logIncomingMiddleware } from "./middlewares/logIncoming";
import { csrfProtectionMiddleware } from "./middlewares/csrfProtection";
import helmet from "helmet";
const dev = process.env.ENVIRONMENT !== "prod";
@@ -25,13 +26,21 @@ export function createApiServer() {
apiServer.use(
cors({
origin: `http://localhost:${config.server.next_port}`,
credentials: true,
}),
credentials: true
})
);
} else {
apiServer.use(cors());
const corsOptions = {
origin: config.app.base_url,
methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
allowedHeaders: ["Content-Type", "X-CSRF-Token"]
};
apiServer.use(cors(corsOptions));
apiServer.use(helmet());
apiServer.use(csrfProtectionMiddleware);
}
apiServer.use(cookieParser());
apiServer.use(express.json());
@@ -40,8 +49,8 @@ export function createApiServer() {
rateLimitMiddleware({
windowMin: config.rate_limits.global.window_minutes,
max: config.rate_limits.global.max_requests,
type: "IP_AND_PATH",
}),
type: "IP_AND_PATH"
})
);
}
@@ -62,7 +71,7 @@ export function createApiServer() {
const httpServer = apiServer.listen(externalPort, (err?: any) => {
if (err) throw err;
logger.info(
`API server is running on http://localhost:${externalPort}`,
`API server is running on http://localhost:${externalPort}`
);
});

8
server/auth/index.ts
View File

@@ -87,17 +87,17 @@ export async function invalidateAllSessions(userId: string): Promise<void> {
export function serializeSessionCookie(token: string): string {
if (SECURE_COOKIES) {
return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
} else {
return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
}
}
export function createBlankSessionTokenCookie(): string {
if (SECURE_COOKIES) {
return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
} else {
return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
}
}

8
server/auth/resource.ts
View File

@@ -166,9 +166,9 @@ export function serializeResourceSessionCookie(
token: string
): string {
if (SECURE_COOKIES) {
return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
return `${cookieName}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
} else {
return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
return `${cookieName}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
}
}
@@ -176,9 +176,9 @@ export function createBlankResourceSessionTokenCookie(
cookieName: string
): string {
if (SECURE_COOKIES) {
return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
return `${cookieName}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
} else {
return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
return `${cookieName}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
}
}

24
server/middlewares/csrfProtection.ts Normal file
View File

@@ -0,0 +1,24 @@
import { NextFunction, Request, Response } from "express";
export function csrfProtectionMiddleware(
req: Request,
res: Response,
next: NextFunction
) {
const csrfToken = req.headers["x-csrf-token"];
// Skip CSRF check for GET requests as they should be idempotent
if (req.method === "GET") {
next();
return;
}
if (!csrfToken || csrfToken !== "x-csrf-protection") {
res.status(403).json({
error: "CSRF token missing or invalid"
});
return;
}
next();
}