Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement CSRF protection #1351

Merged
merged 54 commits into from
Apr 3, 2024
Merged

Implement CSRF protection #1351

merged 54 commits into from
Apr 3, 2024

Conversation

awidener3
Copy link
Contributor

@awidener3 awidener3 commented Jan 22, 2024
edited by kethinov
Loading

Include CSRF protection in Roosevelt applications

  • CSRF protection is enabled by default.
  • CSRF can only be fully disabled by disabling express-session (added with Add express-session dependency #1341).
  • Developers can switch between full (default) and manual. manual allows the dev to specify which routes are protected.
  • The README has been updated to educate devs on how to include a CSRF token in their POST requests.

closes #27

closes #1244

@awidener3
Copy link
Contributor Author

@kethinov I'm not 100% sold on my decision of using full vs. manual as configuration options. Any suggestions or thoughts?

@awidener3 awidener3 marked this pull request as ready for review January 29, 2024 20:30
@codecov Codecov
Copy link

codecov bot commented Mar 4, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 28.00000% with 144 lines in your changes are missing coverage. Please review.

Project coverage is 83.44%. Comparing base (b4c5091) to head (d89f43c).

Files Patch % Lines
lib/setExpressConfigs.js 14.51% 53 Missing ⚠️
lib/scripts/certsGenerator.js 0.00% 45 Missing ⚠️
lib/scripts/csrfSecretGenerator.js 13.33% 39 Missing ⚠️
roosevelt.js 50.00% 7 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1351      +/-   ##
==========================================
- Coverage   87.32%   83.44%   -3.88%     
==========================================
  Files          25       26       +1     
  Lines        3590     3758     +168     
==========================================
+ Hits         3135     3136       +1     
- Misses        455      622     +167

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@kethinov kethinov mentioned this pull request Mar 11, 2024
Closed
kethinov
kethinov requested changes Mar 13, 2024
View reviewed changes
README.md Outdated Show resolved Hide resolved
lib/setExpressConfigs.js Outdated Show resolved Hide resolved
kethinov and others added 29 commits March 13, 2024 12:13
@kethinov
copyediting
c15258f
@kethinov
refactor params and overhaul README
d306615
@kethinov
inline help
362e9ef
@kethinov
fine-tuning
119e0d5
@kethinov
readme improvements
cb1da81
@kethinov
beat that warning into submission some more
a01d4e5
@kethinov
beat the tests into submission and update deps
c6f62a0
@kethinov
Merge branch 'main' of https://github.com/rooseveltframework/roosevelt
bccdd3a 
…into csrf-support
@awidener3
replace malibu with csrf-csrf
ac3e456
@awidener3
implement csrf-csrf api, custom 403
7d54087
@awidener3
add comments
dcf3dfb
@awidener3
update unauthorized to forbidden
e1831ae
@awidener3
decouple csrf from express-session
8df630f
@awidener3
update secret generation
7a4e5ac
@awidener3
update readme
e1abf4e
@kethinov
Update lib/scripts/configAuditor.js
ef8765c
@kethinov
Update README.md
c9306a4
@kethinov
Update README.md
5dd2918
@kethinov
Update lib/setExpressConfigs.js
949a86b
@awidener3
fix missed unauthorized
5f9afb8
@awidener3
add csrf secret generation
94a9846
@awidener3
update readme
c543367
@awidener3
adjust csrfProtection type
a4f1b78
@kethinov
Merge pull request #1 from awidener3/csrf-dep-update
06f8c0f 
Replace `malibu` with `csrf-csrf`
@kethinov
tweaks
3c7123f
@awidener3
update tests
adb35de
@awidener3
update test
a6e57d7
@awidener3
certs tweaks
b9656fc
@kethinov
0.22.0
d89f43c
@kethinov kethinov merged commit 7a4022c into rooseveltframework:main Apr 3, 2024
4 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kethinov kethinov kethinov requested changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrade dev_sync.sh to a smarter Node.js-based script CSRF support
2 participants
@awidener3 @kethinov