@govuk-pay/pay-js-commons/lib/utils/middleware/csrf.middleware.js

Reusable js scripts for GOV.UK Pay Node.js projects

"use strict";

function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); }
function _defineProperties(e, r) { for (var t = 0; t < r.length; t++) { var o = r[t]; o.enumerable = o.enumerable || !1, o.configurable = !0, "value" in o && (o.writable = !0), Object.defineProperty(e, _toPropertyKey(o.key), o); } }
function _createClass(e, r, t) { return r && _defineProperties(e.prototype, r), t && _defineProperties(e, t), Object.defineProperty(e, "prototype", { writable: !1 }), e; }
function _toPropertyKey(t) { var i = _toPrimitive(t, "string"); return "symbol" == _typeof(i) ? i : i + ""; }
function _toPrimitive(t, r) { if ("object" != _typeof(t) || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != _typeof(i)) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
function _classCallCheck(a, n) { if (!(a instanceof n)) throw new TypeError("Cannot call a class as a function"); }
function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? Reflect.construct(o, e || [], _getPrototypeOf(t).constructor) : o.apply(t, e)); }
function _possibleConstructorReturn(t, e) { if (e && ("object" == _typeof(e) || "function" == typeof e)) return e; if (void 0 !== e) throw new TypeError("Derived constructors may only return object or undefined"); return _assertThisInitialized(t); }
function _assertThisInitialized(e) { if (void 0 === e) throw new ReferenceError("this hasn't been initialised - super() hasn't been called"); return e; }
function _inherits(t, e) { if ("function" != typeof e && null !== e) throw new TypeError("Super expression must either be null or a function"); t.prototype = Object.create(e && e.prototype, { constructor: { value: t, writable: !0, configurable: !0 } }), Object.defineProperty(t, "prototype", { writable: !1 }), e && _setPrototypeOf(t, e); }
function _wrapNativeSuper(t) { var r = "function" == typeof Map ? new Map() : void 0; return _wrapNativeSuper = function _wrapNativeSuper(t) { if (null === t || !_isNativeFunction(t)) return t; if ("function" != typeof t) throw new TypeError("Super expression must either be null or a function"); if (void 0 !== r) { if (r.has(t)) return r.get(t); r.set(t, Wrapper); } function Wrapper() { return _construct(t, arguments, _getPrototypeOf(this).constructor); } return Wrapper.prototype = Object.create(t.prototype, { constructor: { value: Wrapper, enumerable: !1, writable: !0, configurable: !0 } }), _setPrototypeOf(Wrapper, t); }, _wrapNativeSuper(t); }
function _construct(t, e, r) { if (_isNativeReflectConstruct()) return Reflect.construct.apply(null, arguments); var o = [null]; o.push.apply(o, e); var p = new (t.bind.apply(t, o))(); return r && _setPrototypeOf(p, r.prototype), p; }
function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function () {})); } catch (t) {} return (_isNativeReflectConstruct = function _isNativeReflectConstruct() { return !!t; })(); }
function _isNativeFunction(t) { try { return -1 !== Function.toString.call(t).indexOf("[native code]"); } catch (n) { return "function" == typeof t; } }
function _setPrototypeOf(t, e) { return _setPrototypeOf = Object.setPrototypeOf ? Object.setPrototypeOf.bind() : function (t, e) { return t.__proto__ = e, t; }, _setPrototypeOf(t, e); }
function _getPrototypeOf(t) { return _getPrototypeOf = Object.setPrototypeOf ? Object.getPrototypeOf.bind() : function (t) { return t.__proto__ || Object.getPrototypeOf(t); }, _getPrototypeOf(t); }
var csrf = require('csrf');
var CsrfError = /*#__PURE__*/function (_Error) {
  function CsrfError(message) {
    var _this;
    _classCallCheck(this, CsrfError);
    _this = _callSuper(this, CsrfError, [message]);
    _this.name = 'CsrfError';
    return _this;
  }
  _inherits(CsrfError, _Error);
  return _createClass(CsrfError);
}( /*#__PURE__*/_wrapNativeSuper(Error));
/**
 * @param logger {Logger}
 * @param sessionName {string} the name of the object on the request where the secret key will be stored
 * @param secretName {string} the name of the key in session object that will hold the secret value
 * @param tokenName {string} the name of the key on the request body/query that will hold the token value
 */
var configureCsrfMiddleware = function configureCsrfMiddleware(logger, sessionName) {
  var secretName = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 'csrfSecret';
  var tokenName = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : 'csrfToken';
  logger.debug('--- CSRF middleware configuration ---');
  logger.debug("Secret is set at req['".concat(sessionName, "']['").concat(secretName, "']"));
  logger.debug("Token is checked at req.body|query['".concat(tokenName, "']"));
  logger.debug('-------------------------------------');

  /**
   * @param req {e.Request}
   * @param res {e.Response}
   * @param next {e.NextFunction}
   */
  var setSecret = function setSecret(req, res, next) {
    var _req$sessionName;
    var csrfSecret = (_req$sessionName = req[sessionName]) === null || _req$sessionName === void 0 ? void 0 : _req$sessionName[secretName];
    if (!csrfSecret) {
      logger.debug('Synchronising CSRF secret');
      req[sessionName][secretName] = csrf().secretSync();
    }
    next();
  };

  /**
   * @param req {e.Request}
   * @param res {e.Response}
   * @param next {e.NextFunction}
   */
  var checkToken = function checkToken(req, res, next) {
    var _req$sessionName2, _req$body, _req$query;
    // short circuit the check if method is not PUT/POST
    if (!['PUT', 'POST'].includes(req.method.toUpperCase())) {
      return next();
    }
    var csrfSecret = (_req$sessionName2 = req[sessionName]) === null || _req$sessionName2 === void 0 ? void 0 : _req$sessionName2[secretName];
    var csrfToken = ((_req$body = req.body) === null || _req$body === void 0 ? void 0 : _req$body[tokenName]) || ((_req$query = req.query) === null || _req$query === void 0 ? void 0 : _req$query[tokenName]);
    if (!csrfSecret) {
      return next(new CsrfError("CSRF secret was not found on ".concat(sessionName, " when validating token")));
    }
    if (!csrfToken) {
      return next(new CsrfError('CSRF token was not found in body or query for PUT/POST request'));
    }
    if (!csrf().verify(csrfSecret, csrfToken)) {
      return next(new CsrfError('Invalid CSRF token'));
    }
    next();
  };

  /**
   * @param req {e.Request}
   * @param res {e.Response}
   * @param next {e.NextFunction}
   */
  var generateToken = function generateToken(req, res, next) {
    var csrfSecret = req[sessionName][secretName];
    res.locals.csrf = csrf().create(csrfSecret);
    next();
  };
  return {
    setSecret: setSecret,
    checkToken: checkToken,
    generateToken: generateToken
  };
};
module.exports = {
  configureCsrfMiddleware: configureCsrfMiddleware,
  CsrfError: CsrfError
};