-
Notifications
You must be signed in to change notification settings - Fork 8.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: CSRF protection for public endpoints #18674
base: main
Are you sure you want to change the base?
Conversation
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is a critical CVE?Contains a Critical Common Vulnerability and Exposure (CVE). Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ready for review
@@ -81,6 +81,9 @@ NEXTAUTH_SECRET= | |||
# Used for cross-domain cookie authentication | |||
NEXTAUTH_COOKIE_DOMAIN= | |||
|
|||
# You can use: `openssl rand -base64 32` to generate one | |||
CSRF_SECRET= |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is opt-in. If not set the class will no-op.
@@ -0,0 +1,10 @@ | |||
import type { ICSRF } from "./csrf.interface"; | |||
|
|||
export class MockCSRF implements ICSRF { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fallback when env var is not set
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 2 Skipped Deployments
|
Graphite Automations"Add foundation team as reviewer" took an action on this PR • (01/15/25)1 reviewer was added to this PR based on Keith Williams's automation. |
E2E results are ready! |
What does this PR do?
This pull request introduces a CSRF protection mechanism across various parts of the application, including the addition of a new CSRF module and its integration into API routes. The most important changes include the creation of the CSRF module, updates to API routes to include CSRF verification, and modifications to the environment configuration.
CSRF Protection Implementation:
New CSRF Module:
RealCSRF
class to handle CSRF setup and verification, including methods for token creation and validation. (packages/features/csrf/csrf.ts
- packages/features/csrf/csrf.tsR1-R113)MockCSRF
class for testing purposes, which skips CSRF setup and verification. (packages/features/csrf/csrf.mock.ts
- packages/features/csrf/csrf.mock.tsR1-R10)ICSRF
interface to standardize CSRF methods. (packages/features/csrf/csrf.interface.ts
- packages/features/csrf/csrf.interface.tsR1-R6)CSRF
class to initialize the appropriate CSRF handler based on the presence ofCSRF_SECRET
. (packages/features/csrf/index.ts
- packages/features/csrf/index.tsR1-R10)Integration into API Routes:
CSRF.init().verify(req, res)
. (apps/web/pages/api/book/event.ts
- [1]apps/web/pages/api/book/instant-event.ts
- [2]apps/web/pages/api/book/recurring-event.ts
- [3]apps/web/server/lib/[user]/[type]/getServerSideProps.ts
- apps/web/server/lib/[user]/[type]/getServerSideProps.tsR299)Environment Configuration:
CSRF_SECRET
to.env.example
to guide users on generating a CSRF secret. (.env.example
- .env.exampleR84-R86)CSRF_SECRET
inturbo.json
for environment variable management. (turbo.json
- turbo.jsonR278)Dependency Updates:
cookie
,cookie-signature
,tsscmp
, anduid-safe
. (packages/features/package.json
- packages/features/package.jsonR18-R34)packages/features/package.json
- packages/features/package.jsonR18-R34)Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
Checklist