marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tududi/backend/app.js
Chris 6c9902b584
fix: add CSRF token support to frontend requests (#1025) 
This commit implements CSRF token support for all session-based API
requests to fix the "CSRF token missing" and "CSRF token mismatch" errors
introduced after CSRF protection was added in commit 62c4cc84.

Changes:
- Created csrfService.ts utility for fetching and caching CSRF tokens
- Added getPostHeadersWithCsrf() helper to authUtils for async token injection
- Updated all service files (*Service.ts) to include CSRF tokens in POST/PUT/PATCH/DELETE requests
- Updated components with inline fetch calls to use getCsrfToken()
- Fixed CSRF middleware to use single lusca instance instead of creating new instances per request
- Improved generateToken() to use req.csrfToken() when available
- Added CalDAV path exemption to CSRF protection

Technical details:
- CSRF tokens are fetched from /api/csrf-token endpoint
- Tokens are cached and reused across requests to avoid unnecessary fetches
- Tokens are included in x-csrf-token header for state-changing requests
- Public endpoints (login, register) remain exempt from CSRF protection
- Bearer token authentication remains exempt from CSRF protection

Files modified:
- Backend: app.js, middleware/csrf.js
- Frontend: 13 service files, 8 component files
- New file: frontend/utils/csrfService.ts

This ensures all session-based requests properly include CSRF tokens while
maintaining support for API token authentication.
2026-04-14 15:06:56 +03:00

349 lines
11 KiB
JavaScript
Raw Blame History

require('dotenv').config();
const express = require('express');
const path = require('path');
const cors = require('cors');
const helmet = require('helmet');
const compression = require('compression');
const morgan = require('morgan');
const session = require('express-session');
const SequelizeStore = require('connect-session-sequelize')(session.Store);
const { sequelize } = require('./models');
const {
initializeTelegramPolling,
} = require('./modules/telegram/telegramInitializer');
const taskScheduler = require('./modules/tasks/taskScheduler');
const { setConfig, getConfig } = require('./config/config');
const config = getConfig();
const API_VERSION = process.env.API_VERSION || 'v1';
const API_BASE_PATH = `/api/${API_VERSION}`;
const app = express();
if (config.trustProxy !== false) {
app.set('trust proxy', config.trustProxy);
}
// Session store
const sessionStore = new SequelizeStore({
db: sequelize,
});
// Middlewares
app.use(
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", 'data:', 'https:'],
connectSrc: ["'self'"],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
},
},
hsts: config.production
? {
maxAge: 31536000,
includeSubDomains: true,
preload: true,
}
: false,
})
);
app.use(compression());
app.use(morgan('combined'));
// CORS configuration
app.use(
cors({
origin: config.allowedOrigins,
credentials: true,
methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
allowedHeaders: [
'Authorization',
'Content-Type',
'Accept',
'X-Requested-With',
],
exposedHeaders: ['Content-Type'],
maxAge: 1728000,
})
);
// Body parsing
app.use(express.json({ limit: '10mb' }));
app.use(express.urlencoded({ extended: true, limit: '10mb' }));
// Session configuration
const sessionMiddleware = session({
secret: config.secret,
store: sessionStore,
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
secure: process.env.COOKIE_SECURE !== 'false' && config.production,
maxAge: 2592000000, // 30 days
sameSite: 'lax',
},
});
app.use(sessionMiddleware);
// CSRF protection using lusca (CodeQL recommended library)
const lusca = require('lusca');
const { csrfMiddleware } = require('./middleware/csrf');
// Pre-check middleware to exempt test/Bearer requests before lusca runs
app.use((req, res, next) => {
// Public unauthenticated endpoints that should bypass CSRF
// These are routes that don't require authentication and are used during login/registration
const publicPaths = [
'/api/login',
'/api/register',
'/api/verify-email',
'/api/version',
'/api/registration-status',
'/api/health',
];
const isPublicPath = publicPaths.some((path) => req.path === path);
const isOidcPath = req.path.startsWith('/api/oidc/');
const isFeatureFlagsPath = req.path.startsWith('/api/feature-flags');
const isCalDAVPath =
req.path.startsWith('/caldav/') ||
req.path.startsWith('/.well-known/caldav');
// Mark exempt requests so lusca wrapper can skip them
if (
process.env.NODE_ENV === 'test' ||
req.headers.authorization?.startsWith('Bearer ') ||
isPublicPath ||
isOidcPath ||
isFeatureFlagsPath ||
isCalDAVPath
) {
req._csrfExempt = true;
}
next();
});
// Apply lusca CSRF - wrapped to check exemption flag
// Only apply to state-changing methods (POST, PUT, PATCH, DELETE)
app.use((req, res, next) => {
const statefulMethods = ['POST', 'PUT', 'PATCH', 'DELETE'];
if (req._csrfExempt || !statefulMethods.includes(req.method)) {
return next();
}
return csrfMiddleware(req, res, next);
});
// Static files
if (config.production) {
app.use(express.static(path.join(__dirname, 'dist')));
} else {
app.use(express.static('public'));
}
// Serve locales
if (config.production) {
app.use('/locales', express.static(path.join(__dirname, 'dist/locales')));
} else {
app.use(
'/locales',
express.static(path.join(__dirname, '../public/locales'))
);
}
// Serve uploaded files
const registerUploadsStatic = (basePath) => {
app.use(`${basePath}/uploads`, express.static(config.uploadPath));
};
registerUploadsStatic('/api');
if (API_VERSION && API_BASE_PATH !== '/api') {
registerUploadsStatic(API_BASE_PATH);
}
// Authentication middleware
const { requireAuth } = require('./middleware/auth');
const { logError } = require('./services/logService');
// Rate limiting middleware
const {
apiLimiter,
authenticatedApiLimiter,
} = require('./middleware/rateLimiter');
// Error handler for modular architecture
const errorHandler = require('./shared/middleware/errorHandler');
// Modular routes
const adminModule = require('./modules/admin');
const areasModule = require('./modules/areas');
const authModule = require('./modules/auth');
const backupModule = require('./modules/backup');
const featureFlagsModule = require('./modules/feature-flags');
const habitsModule = require('./modules/habits');
const inboxModule = require('./modules/inbox');
const notesModule = require('./modules/notes');
const notificationsModule = require('./modules/notifications');
const projectsModule = require('./modules/projects');
const quotesModule = require('./modules/quotes');
const searchModule = require('./modules/search');
const sharesModule = require('./modules/shares');
const tagsModule = require('./modules/tags');
const tasksModule = require('./modules/tasks');
const telegramModule = require('./modules/telegram');
const urlModule = require('./modules/url');
const usersModule = require('./modules/users');
const viewsModule = require('./modules/views');
const mcpModule = require('./modules/mcp');
const oidcModule = require('./modules/oidc');
// Swagger documentation - enabled by default, protected by authentication
// Mounted on /api-docs to avoid conflicts with API routes
if (config.swagger.enabled) {
const swaggerUi = require('swagger-ui-express');
const swaggerSpec = require('./config/swagger');
const swaggerUiOptions = {
customSiteTitle: 'Tududi API Documentation',
customfavIcon: '/favicon.ico',
customCss: '.swagger-ui .topbar { display: none }',
swaggerOptions: {
url: '/api-docs/swagger.json',
},
};
// Expose on /api-docs, protected by authentication
app.use('/api-docs', requireAuth, swaggerUi.serve);
app.get('/api-docs/swagger.json', requireAuth, (req, res) =>
res.json(swaggerSpec)
);
app.get(
'/api-docs',
requireAuth,
swaggerUi.serveFiles(swaggerSpec, swaggerUiOptions),
swaggerUi.setup(swaggerSpec, swaggerUiOptions)
);
}
// Apply rate limiting to API routes
// Use both limiters: apiLimiter for unauthenticated, authenticatedApiLimiter for authenticated
// Each has skip logic to handle their specific use case
const registerRateLimiting = (basePath) => {
app.use(basePath, apiLimiter);
app.use(basePath, authenticatedApiLimiter);
};
const rateLimitPath =
API_VERSION && API_BASE_PATH !== '/api' ? API_BASE_PATH : '/api';
registerRateLimiting(rateLimitPath);
// Health check (before auth middleware) - ensure it's completely bypassed
const registerHealthCheck = (basePath) => {
app.get(`${basePath}/health`, (req, res) => {
res.status(200).json({
status: 'ok',
timestamp: new Date().toISOString(),
uptime: process.uptime(),
environment: config.environment,
});
});
};
const healthPaths = new Set(['/api']);
if (API_VERSION && API_BASE_PATH !== '/api') {
healthPaths.add(API_BASE_PATH);
}
healthPaths.forEach(registerHealthCheck);
const registerApiRoutes = (basePath) => {
app.use(basePath, authModule.routes);
app.use(basePath, featureFlagsModule.routes);
app.use(`${basePath}/oidc`, oidcModule.routes);
app.use(basePath, requireAuth);
app.use(basePath, tasksModule.routes);
app.use(basePath, habitsModule.routes);
app.use(basePath, projectsModule.routes);
app.use(basePath, adminModule.routes);
app.use(basePath, sharesModule.routes);
app.use(basePath, areasModule.routes);
app.use(basePath, notesModule.routes);
app.use(basePath, tagsModule.routes);
app.use(basePath, usersModule.routes);
app.use(basePath, inboxModule.routes);
app.use(basePath, urlModule.routes);
app.use(basePath, telegramModule.routes);
app.use(basePath, quotesModule.routes);
app.use(basePath, backupModule.routes);
app.use(basePath, searchModule.routes);
app.use(basePath, viewsModule.routes);
app.use(basePath, notificationsModule.routes);
app.use(basePath, mcpModule.routes);
};
// Register routes at both /api and /api/v1 (if versioned) to maintain backwards compatibility
// The requireAuth middleware is applied once per base path, preventing the auth loop
const routeBases = new Set(['/api']);
if (API_VERSION && API_BASE_PATH !== '/api') {
routeBases.add(API_BASE_PATH);
}
routeBases.forEach(registerApiRoutes);
// SPA fallback
app.get('*', (req, res) => {
if (
!req.path.startsWith('/api/') &&
!req.path.match(/\.(js|css|png|jpg|jpeg|gif|ico|svg)$/)
) {
if (config.production) {
res.sendFile(path.join(__dirname, 'dist', 'index.html'));
} else {
res.sendFile(path.join(__dirname, '../public', 'index.html'));
}
} else {
res.status(404).json({
error: 'Not Found',
message: 'The requested resource could not be found.',
});
}
});
// Error handling middleware (handles AppError and Sequelize errors)
app.use(errorHandler);
// Initialize database and start server
async function startServer() {
try {
// Create session store table
await sessionStore.sync();
// Initialize Telegram polling after database is ready
await initializeTelegramPolling();
// Initialize task scheduler
await taskScheduler.initialize();
const server = app.listen(config.port, config.host, () => {
console.log(`Server running on port ${config.port}`);
console.log(`Server listening on http://localhost:${config.port}`);
});
server.on('error', (err) => {
console.error('Server error:', err);
});
} catch (error) {
console.error('Failed to start server:', error);
process.exit(1);
}
}
if (require.main === module) {
startServer();
}
module.exports = app;
Reference in a new issue View git blame Copy permalink