@gov-cy/govcy-express-services
Version:
An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.
37 lines (31 loc) • 1.07 kB
JavaScript
import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
/**
* Middleware to handle CSRF token generation and validation.
*
* @param {object} req The request object
* @param {object} res The response object
* @param {object} next The next middleware function
*/
export function govcyCsrfMiddleware(req, res, next) {
// Generate token on first request per session
if (!req.session.csrfToken) {
req.session.csrfToken = generateRandonToken();
}
req.csrfToken = () => req.session.csrfToken;
// Check token on POST requests
if (req.method === 'POST') {
const tokenFromBody = req.body._csrf;
if (!tokenFromBody || tokenFromBody !== req.session.csrfToken) {
return handleMiddlewareError("🚨 Invalid CSRF token", 403, next); // Pass error to govcyHttpErrorHandler
}
}
next();
}
/**
* Generate a random token string.
*
* @returns {string} A random token string
*/
export function generateRandonToken() {
return [...Array(32)].map(() => Math.random().toString(36)[2]).join('');
}