fix csrf

Author: jeongY-Cho

@types/express/index.d.ts

@@ -13,6 +13,7 @@ declare namespace Express {
       view_count: number;
       created_at: string;
     };
+    csrfToken?: string;
   }
 }
 

src/middleware/auth/CsrfTokenIssueMiddleware.ts

@@ -5,7 +5,7 @@ import CsrfTokenConstants from "../../constants/CsrfTokenConstants.json";
 
 export default class CsrfTokenIssueMiddleware extends BaseMiddleware {
   protected async executeImpl(
-    _req: Request,
+    req: Request,
     res: Response,
     next: NextFunction
   ): Promise<void> {
@@ -17,6 +17,7 @@ export default class CsrfTokenIssueMiddleware extends BaseMiddleware {
         httpOnly: true,
         maxAge: 15 * 60 * 1000,
       });
+      req.csrfToken = csrfToken;
       this.next(next);
     } catch (e) {
       this.uncaughtError(res, e);

src/middleware/auth/CsrfTokenVerifyMiddleware.test.ts

@@ -17,7 +17,7 @@ test("test verify", () => {
     query: {
       state: state1,
     },
-    cookies: {
+    signedCookies: {
       [CsrfTokenConstants.cookieName]: state1,
     },
   } as unknown) as Request;
@@ -36,7 +36,7 @@ test("test mismatch", () => {
     query: {
       state: state1,
     },
-    cookies: {
+    signedCookies: {
       [CsrfTokenConstants.cookieName]: state2,
     },
   } as unknown) as Request;
@@ -57,7 +57,7 @@ describe("test missing", () => {
     const failSpy = jest.spyOn(csrfTokenVerifyMiddleware, "fail");
     const req = ({
       query: {},
-      cookies: {
+      signedCookies: {
         [CsrfTokenConstants.cookieName]: state1,
       },
     } as unknown) as Request;
@@ -78,7 +78,7 @@ describe("test missing", () => {
       query: {
         state: state1,
       },
-      cookies: {},
+      signedCookies: {},
     } as unknown) as Request;
     const res: any = {};
     res.status = jest.fn().mockReturnValue(res);
@@ -95,7 +95,7 @@ describe("test missing", () => {
     const failSpy = jest.spyOn(csrfTokenVerifyMiddleware, "fail");
     const req = ({
       query: {},
-      cookies: {},
+      signedCookies: {},
     } as unknown) as Request;
     const res: any = {};
     res.status = jest.fn().mockReturnValue(res);

src/middleware/auth/CsrfTokenVerifyMiddleware.ts

@@ -12,7 +12,8 @@ export default class CsrfTokenVerifyMiddleware extends BaseMiddleware {
   ): Promise<void> {
     try {
       const { state } = req.query;
-      const csrfState = req.cookies[CsrfTokenConstants.cookieName];
+      const csrfState = req.signedCookies[CsrfTokenConstants.cookieName];
+      console.log(req.signedCookies);
       if (
         state !== csrfState ||
         state === undefined ||

src/routes/initialize/InitializeAuthDirectController.ts

@@ -17,6 +17,9 @@ export default class InitialzeAuthDirectController extends BaseController {
       // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
       params.set("client_id", TWITCH_CLIENT_ID!);
       params.set("force_verify", "true");
+      if (req.csrfToken) {
+        params.set("state", req.csrfToken);
+      }
 
       res.redirect(`${TwitchConstants.authorize}?${params.toString()}`);
     } catch (e) {

tsconfig.json

@@ -68,5 +68,6 @@
     "skipLibCheck": true /* Skip type checking of declaration files. */,
     "forceConsistentCasingInFileNames": true /* Disallow inconsistently-cased references to the same file. */,
     "resolveJsonModule": true
-  }
+  },
+  "exclude": ["*.test.ts"]
 }