CSRF support

[kethinov]

Some general interesting info on the topic:

• https://scotthelme.co.uk/csrf-is-really-dead/
• And https://news.ycombinator.com/item?id=28054292

After due consideration, we've decided to adopt malibu at the framework level.

Will also need to add express-session as a dependency as well.

From malibu docs:

Import deps:

import session from 'express-session'
import { csrf } from 'malibu'

Load the middleware:

const csrfProtection = csrf({ middleware: 'session' })
app.use(session({ secret: 'secret key', resave: false, saveUninitialized: false }))

Note app will already be defined by roosevelt.

Then each route will need to receive the csrfProtection variable. We'll need to document examples in the Roosevelt docs. Here's some examples from malibu:

// this lets you acquire CSRF token on response body
app.get('/', csrfProtection, (req, res) => {
  res.status(200).json({ token: req.csrfToken() })
})

// you may only access this if you give a previously acquired CSRF token
app.post('/', csrfProtection, (req, res) => {
  res.status(200).json({ message: 'hello' })
})

I'm assuming that if a route omits csrfProtection then it simply won't populate req.csrfToken and that isn't necessary to modify every route declaration to include the middleware unless the user decides they want CSRF protection on that route. That assumption needs to be tested.