Added CSRF protection to all API calls. /api/account AJAX calls updated.

2024-12-29 21:40:50 -05:00 · 2024-12-29 21:40:50 -05:00 · 106b0fcddb
commit 106b0fcddb
parent 7e0c8e72c5
11 changed files with 149 additions and 14 deletions
--- a/src/utils/csrfUtils.js
+++ b/src/utils/csrfUtils.js
@ -17,8 +17,11 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //NPM Imports
 const { csrfSync } = require('csrf-sync');

+//Local Imports
+const {errorHandler} = require('./loggerUtils');
+
 //Pull needed methods from csrfSync
-const {generateToken, revokeToken, csrfSynchronisedProtection,} = csrfSync();
+const {generateToken, revokeToken, csrfSynchronisedProtection} = csrfSync();

 //Export them per csrfSync documentation
 module.exports.generateToken = generateToken;
--- a/src/utils/loggerUtils.js
+++ b/src/utils/loggerUtils.js
@ -38,4 +38,17 @@ module.exports.socketCriticalExceptionHandler = function(socket, err){

 module.exports.consoleWarn = function(string){
        console.warn('\x1b[31m\x1b[4m%s\x1b[0m',string);
+}
+
+//Basic error-handling middleware to ensure we're not dumping stack traces
+module.exports.errorMiddleware = function(err, req, res, next){
+        //Set generic error
+        var reason = "Server Error";
+
+        //If it's un-authorized
+        if(err.status == 403){
+                reason = "Unauthorized"
+        }
+
+        module.exports.errorHandler(res, err.message, reason, err.status);
 }