govuk-one-login · sw-mattw · May 19, 2025 · May 19, 2025 · May 19, 2025 · May 19, 2025
@@ -79,7 +79,7 @@
     "connect-redis": "8.0.3",
     "cookie-parser": "1.4.7",
     "copyfiles": "2.4.1",
-    "csurf": "1.11.0",
+    "csrf-sync": "4.2.1",
     "dompurify": "3.2.5",
     "ecdsa-sig-formatter": "1.0.11",
     "express": "4.21.2",
@@ -112,7 +112,6 @@
     "@types/chai": "4.3.0",
     "@types/cheerio": "0.22.35",
     "@types/cookie-parser": "1.4.8",
-    "@types/csurf": "1.11.5",
     "@types/debug": "4.1.12",
     "@types/express": "4.17.21",
     "@types/express-session": "1.18.1",

@@ -139,6 +139,8 @@ export const ERROR_MESSAGES = {
   PAGE_NOT_FOUND: "Request page not found",
 };
 
+export const CSRF_MISSING_CODE = "EBADCSRFTOKEN";
+
 export const ERROR_LOG_LEVEL = {
   ERROR: "Error",
   INFO: "Info",

@@ -2,7 +2,6 @@ import type { Application } from "express";
 import express from "express";
 import "express-async-errors";
 import cookieParser from "cookie-parser";
-import csurf from "csurf";
 import type serveStatic from "serve-static";
 import { logger, loggerMiddleware } from "./utils/logger.js";
 import { sanitizeRequestMiddleware } from "./middleware/sanitize-request-middleware.js";
@@ -40,7 +39,6 @@ import { serverErrorHandler } from "./handlers/internal-server-error-handler.js"
 import { csrfMiddleware } from "./middleware/csrf-middleware.js";
 import { checkYourPhoneRouter } from "./components/check-your-phone/check-your-phone-routes.js";
 import { landingRouter } from "./components/landing/landing-route.js";
-import { getCSRFCookieOptions } from "./config/cookie.js";
 import { ENVIRONMENT_NAME } from "./app.constants.js";
 import { enterMfaRouter } from "./components/enter-mfa/enter-mfa-routes.js";
 import { howDoYouWantSecurityCodesRouter } from "./components/how-do-you-want-security-codes/how-do-you-want-security-codes-routes.js";
@@ -103,6 +101,7 @@ import { environmentBannerMiddleware } from "./middleware/environment-banner-mid
 import UID from "uid-safe";
 import { fileURLToPath } from "node:url";
 import { dirname } from "node:path";
+import { csrfSynchronisedProtection } from "./utils/csrf.js";
 
 const directory_name = dirname(fileURLToPath(import.meta.url));
 
@@ -246,7 +245,8 @@ async function createApp(): Promise<express.Application> {
     })
   );
 
-  app.use(csurf({ cookie: getCSRFCookieOptions(isProduction) }));
+  // Must be added to the app after the session and logging, and before the routers.
+  app.use(csrfSynchronisedProtection);
 
   app.use(channelMiddleware);
   app.use(environmentBannerMiddleware);

@@ -13,12 +13,12 @@ Object {
 
 exports[`Integration:: resend SMS mfa code (account creation variant) should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -13,12 +13,12 @@ Object {
 
 exports[`Integration:: check your email should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -35,12 +35,12 @@ Object {
 
 exports[`Integration:: check your phone should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -266,12 +266,12 @@ Object {
 
 exports[`Integration:: contact us - public user should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -13,12 +13,12 @@ Object {
 
 exports[`Integration::register create password should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -11,17 +11,6 @@ Object {
 }
 `;
 
-exports[`Integration:: enter authenticator app code should display correct link to reset mfa 1`] = `
-Object {
-  "contentId": "89461417-df3f-46a8-9c37-713b9dd78085",
-  "taxonomyLevel1": "authentication",
-  "taxonomyLevel2": "sign in",
-  "taxonomyLevel3": "",
-  "taxonomyLevel4": "",
-  "taxonomyLevel5": "",
-}
-`;
-
 exports[`Integration:: enter authenticator app code should include the correct link to change/reset mfa methods when the user has 1 mfaMethods 1`] = `
 Object {
   "contentId": "89461417-df3f-46a8-9c37-713b9dd78085",
@@ -79,12 +68,12 @@ Object {
 
 exports[`Integration:: enter authenticator app code should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -24,12 +24,12 @@ Object {
 
 exports[`Integration::enter email (create account) should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -24,12 +24,12 @@ Object {
 
 exports[`Integration::enter email should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -11,17 +11,6 @@ Object {
 }
 `;
 
-exports[`Integration:: enter mfa should include the correct link to change mfa methods 1`] = `
-Object {
-  "contentId": "19601dd7-be55-4ab6-aa44-a6358c4239dc",
-  "taxonomyLevel1": "authentication",
-  "taxonomyLevel2": "sign in",
-  "taxonomyLevel3": "",
-  "taxonomyLevel4": "",
-  "taxonomyLevel5": "",
-}
-`;
-
 exports[`Integration:: enter mfa should include the correct link to change mfa methods when the user has 1 mfaMethods 1`] = `
 Object {
   "contentId": "19601dd7-be55-4ab6-aa44-a6358c4239dc",
@@ -68,12 +57,12 @@ Object {
 
 exports[`Integration:: enter mfa should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -13,12 +13,12 @@ Object {
 
 exports[`Integration::enter password should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -13,12 +13,12 @@ Object {
 
 exports[`Integration::enter password should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -24,12 +24,12 @@ Object {
 
 exports[`Integration::enter phone number should return error when csrf not present 1`] = `
 Object {
-  "contentId": undefined,
-  "taxonomyLevel1": undefined,
-  "taxonomyLevel2": undefined,
-  "taxonomyLevel3": undefined,
-  "taxonomyLevel4": undefined,
-  "taxonomyLevel5": undefined,
+  "contentId": "",
+  "taxonomyLevel1": "",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
 }
 `;
 

@@ -1,60 +1,5 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`Integration::how do you want security codes should include link to reset mfa methods 1`] = `
-Object {
-  "contentId": "",
-  "taxonomyLevel1": "authentication",
-  "taxonomyLevel2": "",
-  "taxonomyLevel3": "",
-  "taxonomyLevel4": "",
-  "taxonomyLevel5": "",
-}
-`;
-
-exports[`Integration::how do you want security codes should return how do you want security codes page 1`] = `
-Object {
-  "contentId": "",
-  "taxonomyLevel1": "authentication",
-  "taxonomyLevel2": "",
-  "taxonomyLevel3": "",
-  "taxonomyLevel4": "",
-  "taxonomyLevel5": "",
-}
-`;
-
-exports[`Integration::how do you want security codes should return how do you want security codes page as expected 1`] = `
-Object {
-  "contentId": "",
-  "taxonomyLevel1": "authentication",
-  "taxonomyLevel2": "",
-  "taxonomyLevel3": "",
-  "taxonomyLevel4": "",
-  "taxonomyLevel5": "",
-}
-`;
-
-exports[`Integration::how do you want security codes should return how do you want security codes page as expected for SMS user with AUTH APP backup 1`] = `
-Object {
-  "contentId": "",
-  "taxonomyLevel1": "authentication",
-  "taxonomyLevel2": "",
-  "taxonomyLevel3": "",
-  "taxonomyLevel4": "",
-  "taxonomyLevel5": "",
-}
-`;
-
-exports[`Integration::how do you want security codes should return how do you want security codes page as expected for SMS user with SMS backup 1`] = `
-Object {
-  "contentId": "",
-  "taxonomyLevel1": "authentication",
-  "taxonomyLevel2": "",
-  "taxonomyLevel3": "",
-  "taxonomyLevel4": "",
-  "taxonomyLevel5": "",
-}
-`;
-
 exports[`Integration::how do you want security codes should return page as expected for AUTH APP user with SMS backup 1`] = `
 Object {
   "contentId": "",