chore(deps): update dependency csrf-csrf to v4 #1799
Conversation
renovate
bot
force-pushed
the
renovate/csrf-csrf-4.x
branch
from
c485412 to
d9b7e86
Compare
renovate
bot
changed the title
|
renovate
bot
force-pushed
the
renovate/csrf-csrf-4.x
branch
from
d9b7e86 to
3e10746
Compare
renovate
bot
force-pushed
the
renovate/csrf-csrf-4.x
branch
from
7333765 to
2c1517d
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
apps/server/src/routes/index.ts
Outdated
| //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error | ||
| const csrfToken = generateCsrfToken(req, res, false, false); | ||
| const csrfToken = generateCsrfToken(req, res, { | ||
| overwrite: true, |
There was a problem hiding this comment.
setting overwrite: true will cause issues to people that use the Server build and open up the interface on separate browser tabs (not Trilium internal tabs, but actual browser tabs)
it is explained in the packages README as well:
If overwrite is set to true, the function will generate a new token and cookie each time it is invoked. This behavior can potentially lead to certain complications, particularly when multiple tabs are being used to interact with your web application. In such scenarios, the creation of new cookies with every call to the function can disrupt the proper functioning of your web app across different tabs, as the changes might not be synchronised effectively (you would need to write your own synchronisation logic).
I assume you went this way because of the following?
https://github.com/Psifi-Solutions/csrf-csrf/blob/HEAD/UPGRADING.md#zero-downtime-upgrade-zdu
Deleting the existing cookie should be enough to fix that issue though (in theory -> I didn't test locally yet though).
edit:
btw: I was experiencing the exact same issue, back when I introduced csrf-csrf :-)
edit 2:
Alternative idea to fix this:
if we rename the cookie from "_csrf" to anything else, that should also "workaround" the issue.
I was anyways thinking if we maybe wanted to rename it to include "trilium" in the name anyways
There was a problem hiding this comment.
@pano9000 , I think changing the name of the cookie is the way to go.
dosubot
bot
added
the
size:S
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
3.2.2->4.0.2Release Notes
Psifi-Solutions/csrf-csrf (csrf-csrf)
v4.0.2Compare Source
Bug Fixes
v4.0.1Compare Source
Bug Fixes
v4.0.0Compare Source
⚠ BREAKING CHANGES
This list may not be an exhaustive list of breaking changes, for more information consult the version 3 -> 4 upgrade guide and the updated configuration documentation in the README.
createHmac, the format has changed significantly, see the CSRF token format section of the upgrade guide.getSessionIdentifieris now required and must return a unique identifier per-request (and per-session) - this is an essential part of CSRF token securitygetTokenFromRequestrenamed togetCsrfTokenFromRequestgenerateTokenrenamed togenerateCsrfTokenoverwriteandvalidateOnReuseparameters forgenerateCsrfTokenhave been merged into a single object parameter which also acceptscookieOptions:generateCsrfToken(req, res, options);validateOnReuseis nowfalsecookieOptions.sameSiteis nowstrictcookieOptions.signedis no longer available, CSRF tokens are inherently signed, this is redundantdelimiteroption removed,csrfTokenDelimiterandmessageDelimiterare now used for the respective purposesignedoption incookieOptionsconfig option removed (redundant), csrf tokens generated by csrf-csrf are inherently signedsizeconfig option now sets the size of the message used to construct the hmac, now defaults to32instead of64, this is combined with the return value ofgetSessionIdentifierto construct the hmac payloadCsrfTokenCookieOverridesrenamed toCsrfTokenCookieOptionsCsrfTokenCreatorrenamed toCsrfTokenGeneratordoubleCsrfProtectionrenamed toDoubleCsrfProtectionRequestMethodrenamed toCsrfRequestMethodCsrfIgnoredMethodsrenamed toCsrfIgnoredRequestMethodsFeatures
3.2.2 (2025-04-24)
Bug Fixes
3.2.1 (2025-04-20)
No changes, just re-published the botched 3.2.0
Configuration
📅 Schedule: Branch creation - "before 3am" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.