Merge pull request #13 from curveball/csrf-support

CSRF token checking support
curveball · Feb 2, 2021 · 00b7ebe · 00b7ebe
2 parents b13d115 + 60f6ca6
commit 00b7ebe
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 12 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,6 +1,15 @@
 Changelog
 =========
 
+0.2.0 (2020-02-02)
+------------------
+
+* Now supports submitting HTML form. This was blocked due to CSRF problems,
+  but we now validate CSRF tokens.
+* This is considered a BC break, as this package requires curveball/session
+  0.6, which itself has introduced a BC breka.
+
+
 0.1.4 (2020-10-27)
 ------------------
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,7 +35,8 @@
   },
   "homepage": "https://github.com/curveball/browser-to-bearer#readme",
   "devDependencies": {
-    "@curveball/core": "^0.14.3",
+    "@curveball/core": "^0.16.1",
+    "@curveball/session": "^0.6.0",
     "@types/chai": "^4.2.14",
     "@types/mocha": "^8.2.0",
     "@types/node": "^10.17.51",
@@ -58,7 +59,8 @@
     ]
   },
   "peerDependencies": {
-    "@curveball/core": ">=0.9.0 <1.0.0"
+    "@curveball/core": ">=0.9.0 <1.0.0",
+    "@curveball/session": "^0.6.0"
   },
   "dependencies": {
     "node-fetch": "^2.6.1"

diff --git a/src/index.ts b/src/index.ts
@@ -1,7 +1,8 @@
 import { Context, Middleware } from '@curveball/core';
-import { BadRequest, Forbidden, Unauthorized } from '@curveball/http-errors';
+import '@curveball/session';
+import { BadRequest, Unauthorized } from '@curveball/http-errors';
 import { default as fetch, Response } from 'node-fetch';
-import querystring from 'querystring';
+import * as querystring from 'querystring';
 import { resolve } from 'url';
 
 type OAuth2Options = {
@@ -38,9 +39,9 @@ export default function(options: OAuth2Options): Middleware {
       return handleInnerRequest(ctx, next, options);
     }
 
-    if (!['GET', 'HEAD', 'OPTIONS'].includes(ctx.method)) {
-      // For now we only support safe methods.
-      throw new Forbidden('When using cookie-based authentication, only safe methods are supported');
+    if (!['GET', 'HEAD', 'OPTIONS', 'SEARCH'].includes(ctx.method)) {
+      // This is an unsafe method. We will check if there's a CSRF token.
+      ctx.validateCsrf();
     }
 
     ctx.request.headers.set('Authorization', 'Bearer ' + oauth2Tokens.accessToken);