rainbownapkin/canopy
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions

Protected socket.io connection with csrf-sync to prevent cross-site connections.

Browse source
This commit is contained in:
rainbow napkin 2024-12-29 23:06:11 -05:00
parent 6c379321f7
commit 4a865e8aa8
3 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/app/channel/channelManager.js
View file

@ -19,6 +19,7 @@ const channelModel = require('../../schemas/channel/channelSchema');
const emoteModel = require('../../schemas/emoteSchema');
const {userModel} = require('../../schemas/user/userSchema');
const loggerUtils = require('../../utils/loggerUtils');
const csrfUtils = require('../../utils/csrfUtils');
const activeChannel = require('./activeChannel');
const chatHandler = require('./chatHandler');
@ -80,6 +81,11 @@ module.exports = class{
}
async authSocket(socket){
//Check for Cross-Site Request Forgery
if(!csrfUtils.isRequestValid(socket.request)){
throw new Error("Invalid CSRF Token!");
}
//Find the user in the Database since the session won't store enough data to fulfill our needs :P
const userDB = await userModel.findOne({user: socket.request.session.user.user});

6
src/utils/csrfUtils.js
View file

@ -21,9 +21,11 @@ const { csrfSync } = require('csrf-sync');
const {errorHandler} = require('./loggerUtils');
//Pull needed methods from csrfSync
const {generateToken, revokeToken, csrfSynchronisedProtection} = csrfSync();
const {generateToken, revokeToken, csrfSynchronisedProtection, isRequestValid} = csrfSync();
//Export them per csrfSync documentation
//if nothing else it's nice syntactic sugar to not have to run the method again
module.exports.generateToken = generateToken;
module.exports.revokeToken = revokeToken;
module.exports.csrfSynchronisedProtection = csrfSynchronisedProtection;
module.exports.csrfSynchronisedProtection = csrfSynchronisedProtection;
module.exports.isRequestValid = isRequestValid;