rainbownapkin/canopy
1
0
Fork 0
Code Issues 2 Pull requests Actions Packages Projects Releases Wiki Activity

Implement CSRF Countermeasures #71

New issue
Closed
opened 2024-12-29 04:32:37 -05:00 by rainbownapkin · 8 comments
rainbownapkin commented 2024-12-29 04:32:37 -05:00 (Migrated from gitlab.com)
Copy link

We should implement CSRF countermeasures to keep sensitive actions safe.

The NPM package csrf-sync looks like it might be a good option.

We should protect all API calls that effect session state or DB, as well as channel connections.

We should implement CSRF countermeasures to keep sensitive actions safe. The NPM package csrf-sync looks like it might be a good option. We should protect all API calls that effect session state or DB, as well as channel connections.
rainbownapkin commented 2024-12-29 04:32:37 -05:00 (Migrated from gitlab.com)
Copy link

added #35 as parent issue

added #35 as parent issue
rainbownapkin commented 2024-12-29 04:33:33 -05:00 (Migrated from gitlab.com)
Copy link

changed the description

changed the description
rainbownapkin commented 2024-12-29 15:03:25 -05:00 (Migrated from gitlab.com)
Copy link

CSRF tokens now embedded in full-paged EJS templates: 83f76af6e8

CSRF tokens now embedded in full-paged EJS templates: 83f76af6e8290a330d377cd3c33aeeeb199ceb27
rainbownapkin commented 2024-12-29 21:42:14 -05:00 (Migrated from gitlab.com)
Copy link

changed the description

changed the description
rainbownapkin commented 2024-12-29 21:44:32 -05:00 (Migrated from gitlab.com)
Copy link

CSRF tokens added to all API calls, /api/account calls updated: 106b0fcddb

CSRF tokens added to all API calls, /api/account calls updated: 106b0fcddba25313b401f8b00afee97111498571
rainbownapkin commented 2024-12-29 22:29:34 -05:00 (Migrated from gitlab.com)
Copy link

Added CSRF token headers to ajax calls for /api/channel routes: 6dd8983a48

Added CSRF token headers to ajax calls for /api/channel routes: 6dd8983a48ca44e07dfbcf2e9521ff3be2017910
rainbownapkin commented 2024-12-29 22:46:10 -05:00 (Migrated from gitlab.com)
Copy link

Added CSRF token headers to ajax calls for /api/admin routes: 6c379321f7

Added CSRF token headers to ajax calls for /api/admin routes: 6c379321f7e1de168267babe626156281b4a47d3
rainbownapkin (Migrated from gitlab.com) closed this issue 2024-12-29 23:08:59 -05:00
rainbownapkin commented 2024-12-29 23:09:00 -05:00 (Migrated from gitlab.com)
Copy link

Added CSRF token check to socket.io connection authorization function: 4a865e8aa8

CSRF countermeasure implementation complete.

Added CSRF token check to socket.io connection authorization function: 4a865e8aa85e0abc25e5f15a6a1a54ce906235a0 CSRF countermeasure implementation complete.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dev
0.4-indev-hotfix-3
0.4-indev-hotfix-2
0.4-indev-hotfix-1
0.4-indev
0.3-indev-hotfix-1
0.3-indev
verbose-queue
0.2-indev
0.1-indev
No results found.
Labels
Clear labels   
Bug

   
Cleanup/Refactor

   
Core Feature

   
Documentation

   
Feature

   
Performance Improvement

   
Security Improvement

   
UX/Accessibility

   
Unreproducable Bug
No labels
Bug
Cleanup/Refactor
Core Feature
Documentation
Feature
Performance Improvement
Security Improvement
UX/Accessibility
Unreproducable Bug
Milestone
Clear milestone
No items
No milestone
Canopy v0.1-Indev
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: rainbownapkin/canopy#71
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?