mirror/fosrl.pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2025-07-09 21:44:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

CSRF prevention

Browse source
This commit is contained in:
Owen Schwartz 2024-12-25 22:04:20 -05:00
parent 993eab5ac1
commit 4e4b8744b5
No known key found for this signature in database
GPG key ID: 8271FDFFD9E0CCBD
3 changed files with 43 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

24
server/apiServer.ts
View file

@ -6,11 +6,12 @@ import logger from "@server/logger";
import {
errorHandlerMiddleware,
notFoundMiddleware,
rateLimitMiddleware,
rateLimitMiddleware
} from "@server/middlewares";
import { authenticated, unauthenticated } from "@server/routers/external";
import { router as wsRouter, handleWSUpgrade } from "@server/routers/ws";
import { logIncomingMiddleware } from "./middlewares/logIncoming";
import { csrfProtectionMiddleware } from "./middlewares/csrfProtection";
import helmet from "helmet";
const dev = process.env.ENVIRONMENT !== "prod";
@ -25,13 +26,22 @@ export function createApiServer() {
apiServer.use(
cors({
origin: `http://localhost:${config.server.next_port}`,
credentials: true,
}),
credentials: true
})
);
} else {
apiServer.use(cors());
const corsOptions = {
origin: config.app.base_url,
methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
allowedHeaders: ["Content-Type", "X-CSRF-Token"],
credentials: true
};
apiServer.use(cors(corsOptions));
apiServer.use(helmet());
apiServer.use(csrfProtectionMiddleware);
}
apiServer.use(cookieParser());
apiServer.use(express.json());
@ -40,8 +50,8 @@ export function createApiServer() {
rateLimitMiddleware({
windowMin: config.rate_limits.global.window_minutes,
max: config.rate_limits.global.max_requests,
type: "IP_AND_PATH",
}),
type: "IP_AND_PATH"
})
);
}
@ -62,7 +72,7 @@ export function createApiServer() {
const httpServer = apiServer.listen(externalPort, (err?: any) => {
if (err) throw err;
logger.info(
`API server is running on http://localhost:${externalPort}`,
`API server is running on http://localhost:${externalPort}`
);
});