Implement anti-CSRF for logout

2024-11-14 22:06:00 +00:00 · 2024-05-13 20:40:27 -04:00 · 2024-05-13 20:40:27 -04:00 · 800aef1942
commit 800aef1942
parent da7f73baa6
2 changed files with 8 additions and 0 deletions
--- a/packages/backend/src/routers/logout.js
+++ b/packages/backend/src/routers/logout.js
@ -29,6 +29,11 @@ router.post('/logout', auth, express.json(), async (req, res, next)=>{
    // check subdomain
    if(require('../helpers').subdomain(req) !== 'api' && require('../helpers').subdomain(req) !== '')
        next();
+    // check anti-csrf token
+    const svc_antiCSRF = req.services.get('anti-csrf');
+    if ( ! svc_antiCSRF.consume_token(req.user.uuid, req.body.anti_csrf) ) {
+        return res.status(400).json({ message: 'incorrect anti-CSRF token' });
+    }
    // delete cookie
    res.clearCookie(config.cookie_name);
    // delete session
--- a/src/initgui.js
+++ b/src/initgui.js
@ -1981,6 +1981,8 @@ window.initgui = async function(){

        // logout
        try{
+            const resp = await fetch(`${window.gui_origin}/get-anticsrf-token`);
+            const { token } = await resp.json();
            await $.ajax({
                url: window.gui_origin + "/logout",
                type: 'POST',
@ -1989,6 +1991,7 @@ window.initgui = async function(){
                headers: {
                    "Authorization": "Bearer " + window.auth_token
                },
+                data: JSON.stringify({ anti_csrf: token }),
                statusCode: {
                    401: function () {
                    },