security fix #21

Author: paoloronco

server/server.js

@@ -18,6 +18,7 @@ import rateLimit from 'express-rate-limit';
 import { z } from 'zod';
 import { timingSafeEqual } from 'crypto';
 import cookieParser from 'cookie-parser';
+import lusca from 'lusca';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -71,6 +72,32 @@ app.use(express.urlencoded({ limit: '10mb', extended: true }));
 app.use(express.static(join(__dirname, '../dist')));
 app.use(cookieParser(COOKIE_SECRET));
 
+// CSRF Protection
+app.use(lusca.csrf({
+  cookie: {
+    name: '_csrf',
+    secure: process.env.NODE_ENV === 'production',
+    httpOnly: true,
+    sameSite: 'strict'
+  },
+  value: (req) => {
+    // Get CSRF token from header, body, or query string
+    return req.headers['x-csrf-token'] || 
+           req.body && req.body._csrf || 
+           req.query && req.query._csrf;
+  }
+}));
+
+// Add CSRF token to response for SPA
+app.use((req, res, next) => {
+  res.cookie('XSRF-TOKEN', req.csrfToken(), {
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+    path: '/'
+  });
+  next();
+});
+
 // Rate limiting
 const apiLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
@@ -119,6 +146,19 @@ app.use('/api', apiLimiter);
 // Initialize database
 await initializeDatabase();
 
+// Add CSRF token endpoint for SPA
+app.get('/api/csrf-token', (req, res) => {
+  res.json({ csrfToken: req.csrfToken() });
+});
+
+// Apply CSRF protection to all non-GET/HEAD/OPTIONS requests
+app.use((req, res, next) => {
+  if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {
+    return next();
+  }
+  lusca.csrf()(req, res, next);
+});
+
 // Auth Routes
 app.get('/api/auth/setup-status', authLimiter, async (req, res) => {
   try {