Protected socket.io connection with csrf-sync to prevent cross-site connections.

src/app/channel/channelManager.js

@@ -19,6 +19,7 @@ const channelModel = require('../../schemas/channel/channelSchema');
 const emoteModel = require('../../schemas/emoteSchema');
 const {userModel} = require('../../schemas/user/userSchema');
 const loggerUtils = require('../../utils/loggerUtils');
+const csrfUtils = require('../../utils/csrfUtils');
 const activeChannel = require('./activeChannel');
 const chatHandler = require('./chatHandler');
 
@@ -80,6 +81,11 @@ module.exports = class{
     }
 
     async authSocket(socket){
+        //Check for Cross-Site Request Forgery
+        if(!csrfUtils.isRequestValid(socket.request)){
+            throw new Error("Invalid CSRF Token!");
+        }
+
         //Find the user in the Database since the session won't store enough data to fulfill our needs :P
         const userDB = await userModel.findOne({user: socket.request.session.user.user});
 

src/utils/csrfUtils.js

@@ -21,9 +21,11 @@ const { csrfSync } = require('csrf-sync');
 const {errorHandler} = require('./loggerUtils');
 
 //Pull needed methods from csrfSync
-const {generateToken, revokeToken, csrfSynchronisedProtection} = csrfSync();
+const {generateToken, revokeToken, csrfSynchronisedProtection, isRequestValid} = csrfSync();
 
 //Export them per csrfSync documentation
+//if nothing else it's nice syntactic sugar to not have to run the method again
 module.exports.generateToken = generateToken;
 module.exports.revokeToken = revokeToken;
 module.exports.csrfSynchronisedProtection = csrfSynchronisedProtection;
+module.exports.isRequestValid = isRequestValid;

www/js/channel/channel.js

@@ -35,7 +35,12 @@ class channel{
     }
 
     connect(){
-        this.socket = io();
+        this.socket = io({
+            extraHeaders: {
+                //Include CSRF token
+                'x-csrf-token': utils.ajax.getCSRFToken()
+            }
+        });
     }
 
     defineListeners(){