feat: removed CSRF support (deprecated as we use SameSite lax, see <https://scotthelme.co.uk/csrf-is-dead/>)

titanism · titanism · commit af70bab174e6 · 2022-12-07T15:08:50.000-06:00
diff --git a/index.js b/index.js
@@ -5,8 +5,6 @@ const path = require('node:path');
 const util = require('node:util');
 const zlib = require('node:zlib');
 
-const Boom = require('@hapi/boom');
-const CSRF = require('koa-csrf');
 const Cabin = require('cabin');
 const CacheResponses = require('@ladjs/koa-cache-responses');
 const I18N = require('@ladjs/i18n');
@@ -65,8 +63,6 @@ const reportUri = isSANB(process.env.WEB_URL)
   ? `${process.env.WEB_URL}/report`
   : null;
 
-const INVALID_TOKEN_MESSAGE = 'Invalid CSRF token.';
-
 class Web {
   // eslint-disable-next-line complexity
   constructor(config, Users) {
@@ -81,19 +77,6 @@ class Web {
           extension: 'pug'
         }
       },
-      csrf: {
-        ...sharedWebConfig.csrf,
-        ignoredPathGlobs: ['/report'],
-        errorHandler(ctx) {
-          return ctx.throw(
-            Boom.forbidden(
-              typeof ctx.request.t === 'function'
-                ? ctx.request.t(INVALID_TOKEN_MESSAGE)
-                : INVALID_TOKEN_MESSAGE
-            )
-          );
-        }
-      },
       rateLimit: {
         ...sharedWebConfig.rateLimit,
         ignoredPathGlobs: ['/report']
@@ -368,22 +351,6 @@ class Web {
     if (this.config.methodOverride)
       app.use(methodOverride(...this.config.methodOverride));
 
-    // csrf (with added localization support)
-    if (this.config.csrf && process.env.NODE_ENV !== 'test') {
-      const csrf = new CSRF(this.config.csrf);
-      app.use(async (ctx, next) => {
-        try {
-          await csrf(ctx, next);
-        } catch (err) {
-          let error = err;
-          if (err.name && err.name === 'ForbiddenError')
-            error = Boom.forbidden(err.message);
-
-          ctx.throw(error);
-        }
-      });
-    }
-
     // passport
     if (this.passport) {
       app.use(this.passport.initialize());
diff --git a/package.json b/package.json
@@ -11,7 +11,6 @@
     "Nick Baugh <niftylettuce@gmail.com> (http://niftylettuce.com/)"
   ],
   "dependencies": {
-    "@hapi/boom": "^10.0.0",
     "@koa/router": "^12.0.0",
     "@ladjs/i18n": "^8.0.1",
     "@ladjs/koa-better-static": "^2.0.1",
@@ -38,7 +37,6 @@
     "koa-compress": "^5.1.0",
     "koa-conditional-get": "^3.0.0",
     "koa-connect": "^2.1.0",
-    "koa-csrf": "^5.0.1",
     "koa-etag": "^4.0.0",
     "koa-favicon": "^2.1.0",
     "koa-generic-session": "^2.3.0",
