replaces deprecated csurf package (#78)

OKTA-713136 replaces deprecated csurf package

package.json

@@ -41,18 +41,16 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@types/csurf": "^1.11.2",
-    "@types/express": "^4.17.17",
     "@okta/configuration-validation": "^0.4.1",
-    "body-parser": "^1.20.1",
-    "csurf": "^1.11.0",
-    "express": "^4.18.2",
+    "@types/express": "^4.17.21",
+    "csrf-sync": "^4.0.3",
+    "express": "^4.19.2",
     "lodash": "^4.17.21",
-    "negotiator": "^0.6.1",
-    "node-fetch": "^2.6.7",
+    "negotiator": "^0.6.3",
+    "node-fetch": "^2.6.13",
     "openid-client": "^5.6.5",
-    "passport": "^0.6.0",
-    "uuid": "^8.3.2"
+    "passport": "^0.7.0",
+    "uuid": "^9.0.1"
   },
   "devDependencies": {
     "@babel/eslint-parser": "^7.17.0",
@@ -80,9 +78,9 @@
     "server-destroy": "^1.0.1",
     "shelljs": "0.8.5",
     "supertest": "^6.3.3",
-    "wdio-wait-for": "^2.2.6",
     "tsd": "^0.25.0",
-    "typescript": "^4.1.5"
+    "typescript": "^4.1.5",
+    "wdio-wait-for": "^2.2.6"
   },
   "resolutions": {
     "webdriver-manager": "^12.1.4",
@@ -103,4 +101,4 @@
       }
     }
   }
-}
+}

src/connectUtil.js

@@ -10,11 +10,11 @@
  * See the License for the specific language governing permissions and limitations under the License.
  */
 
-const csrf = require('csurf');
+const express = require('express');
+const csrf = require('csrf-sync').csrfSync;
 const passport = require('passport');
 const { Router } = require('express');
 const uuid = require('uuid');
-const bodyParser = require('body-parser');
 const logout = require('./logout');
 const OIDCMiddlewareError = require('./OIDCMiddlewareError');
 
@@ -32,7 +32,7 @@ connectUtil.createOIDCRouter = context => {
   const logoutPath = routes.logout.path;
 
   oidcRouter.use(loginCallbackPath, connectUtil.createLoginCallbackHandler(context));
-  oidcRouter.use(loginPath, bodyParser.urlencoded({ extended: false}), connectUtil.createLoginHandler(context));
+  oidcRouter.use(loginPath, express.urlencoded({ extended: false}), connectUtil.createLoginHandler(context));
   oidcRouter.post(logoutPath, connectUtil.createLogoutHandler(context));
 
   oidcRouter.use((err, req, res, next) => {
@@ -44,7 +44,23 @@ connectUtil.createOIDCRouter = context => {
 };
 
 connectUtil.createLoginHandler = context => {
-  const csrfProtection = csrf();
+  const { csrfSynchronisedProtection: csrfProtection } = csrf({
+    getTokenFromRequest: (req) => {
+      // https://www.npmjs.com/package/csurf#value (parity with csurf)
+      if (req.body._csrf) {
+        return req.body._csrf;
+      }
+      if (req.query._csrf) {
+        return req.query._csrf;
+      }
+      const headers = ['csrf-token', 'xsrf-token', 'x-csrf-token', 'x-csrf-token'];
+      for (const h of headers) {
+        if (req.headers[h]) {
+          return req.headers[h];
+        }
+      }
+    }
+  });
   const ALLOWED_OPTIONS = ['login_hint'];
 
   return function(req, res, next) {

test/types/index.test-d.ts

@@ -38,8 +38,8 @@ const configWithRoutes: ExpressOIDC.ConfigurationOptions = {
     login: {
       path: '/different/login',
       viewHandler: (req, res, _next) => {
-        // `req.csrfToken()` is available from 'csurf' package
         res.render('login', {
+          // @ts-expect-error added to req via csrf-sync
           csrfToken: req.csrfToken(),
           baseUrl: 'https://okta.foo'
         });

test/unit/connectUtil.spec.js

@@ -1,8 +1,3 @@
-jest.mock('csurf', function () {
-  return function () {
-  }
-});
-
 const mockAuthenticate = jest.fn();
 jest.mock('passport', function () {
   return {