Skip to content
This repository was archived by the owner on Jun 24, 2025. It is now read-only.

chore(deps): update dependency csrf-csrf to v4 #1799

Closed
wants to merge 7 commits into from
Closed

chore(deps): update dependency csrf-csrf to v4 #1799

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2c1517d
chore(deps): update dependency csrf-csrf to v4
renovate[bot] May 15, 2025
6f6041e
fix(server): migrate csrf to v4
eliandoran May 15, 2025
f38105e
Merge remote-tracking branch 'origin/develop' into renovate/csrf-csrf…
eliandoran May 16, 2025
f327b54
feat(csrf): use different token to avoid issues with old token
eliandoran May 16, 2025
fd90454
Merge branch 'develop' into renovate/csrf-csrf-4.x
eliandoran May 17, 2025
e7450b5
Merge branch 'develop' into renovate/csrf-csrf-4.x
eliandoran Jun 8, 2025
d4aaf4c
Merge branch 'develop' into renovate/csrf-csrf-4.x
perfectra1n Jun 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/server/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
"cls-hooked": "4.2.2",
"compression": "1.8.0",
"cookie-parser": "1.4.7",
"csrf-csrf": "3.2.2",
"csrf-csrf": "4.0.2",
"dayjs": "1.11.13",
"debounce": "2.2.0",
"debug": "4.4.1",
Expand Down
5 changes: 3 additions & 2 deletions apps/server/src/routes/csrf_protection.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ const doubleCsrfUtilities = doubleCsrf({
sameSite: "strict",
httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
},
cookieName: "_csrf"
cookieName: "_csrf",
getSessionIdentifier: (req) => req.session.id
});

export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;
export const { generateCsrfToken, doubleCsrfProtection } = doubleCsrfUtilities;
9 changes: 5 additions & 4 deletions apps/server/src/routes/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import protectedSessionService from "../services/protected_session.js";
import packageJson from "../../package.json" with { type: "json" };
import assetPath from "../services/asset_path.js";
import appPath from "../services/app_path.js";
import { generateToken as generateCsrfToken } from "./csrf_protection.js";
import { generateCsrfToken } from "./csrf_protection.js";

import type { Request, Response } from "express";
import type BNote from "../becca/entities/bnote.js";
Expand All @@ -19,9 +19,10 @@ function index(req: Request, res: Response) {
const options = optionService.getOptionMap();
const view = getView(req);

//'overwrite' set to false (default) => the existing token will be re-used and validated
//'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
const csrfToken = generateCsrfToken(req, res, false, false);
const csrfToken = generateCsrfToken(req, res, {
overwrite: true,
Copy link
Contributor

@pano9000 pano9000 May 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setting overwrite: true will cause issues to people that use the Server build and open up the interface on separate browser tabs (not Trilium internal tabs, but actual browser tabs)

it is explained in the packages README as well:

If overwrite is set to true, the function will generate a new token and cookie each time it is invoked. This behavior can potentially lead to certain complications, particularly when multiple tabs are being used to interact with your web application. In such scenarios, the creation of new cookies with every call to the function can disrupt the proper functioning of your web app across different tabs, as the changes might not be synchronised effectively (you would need to write your own synchronisation logic).

I assume you went this way because of the following?
https://github.com/Psifi-Solutions/csrf-csrf/blob/HEAD/UPGRADING.md#zero-downtime-upgrade-zdu

Deleting the existing cookie should be enough to fix that issue though (in theory -> I didn't test locally yet though).

edit:
btw: I was experiencing the exact same issue, back when I introduced csrf-csrf :-)

edit 2:
Alternative idea to fix this:
if we rename the cookie from "_csrf" to anything else, that should also "workaround" the issue.
I was anyways thinking if we maybe wanted to rename it to include "trilium" in the name anyways

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pano9000 , I think changing the name of the cookie is the way to go.

validateOnReuse: false // if validation fails, generate a new token instead of throwing an error
});
log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);

// We force the page to not be cached since on mobile the CSRF token can be
Expand Down
10 changes: 5 additions & 5 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading