chore: update dependencies (#1393)

* chore: update sqlite3 * chore: update nextjs * chore: update semver * chore: update email-templates * chore: update express and express-openapi-validator * chore: override cross-spawn as the packages using it didnt update it * chore: update undici * feat: use csrf-csrf instead of deprecated csurf * chore: override cookie * chore: remove the overrides * chore: update lockfile * chore: revert cypress update * chore: revert revert cypress update * chore: update cypress * ci(cypress): upload video artifacts for debugging * chore(cypress): generate videos * ci(cypress): remove unnecessary matrix.browser in the artifact name * chore: update to es2021 --------- Co-authored-by: Gauthier <mail@gauthierth.fr>
2025-03-08 02:45:14 +08:00
parent e97a13e1e4
commit dcc13080bc
9 changed files with 1430 additions and 1401 deletions
--- a/server/index.ts
+++ b/server/index.ts
@@ -28,7 +28,7 @@ import restartFlag from '@server/utils/restartFlag';
 import { getClientIp } from '@supercharge/request-ip';
 import { TypeormStore } from 'connect-typeorm/out';
 import cookieParser from 'cookie-parser';
-import csurf from 'csurf';
+import { doubleCsrf } from 'csrf-csrf';
 import type { NextFunction, Request, Response } from 'express';
 import express from 'express';
 import * as OpenApiValidator from 'express-openapi-validator';
@@ -162,18 +162,23 @@ app
      }
    });
    if (settings.network.csrfProtection) {
-      server.use(
-        csurf({
-          cookie: {
-            httpOnly: true,
-            sameSite: true,
-            secure: !dev,
-          },
-        })
-      );
+      const { doubleCsrfProtection, generateToken } = doubleCsrf({
+        getSecret: () => settings.clientId,
+        cookieName: 'XSRF-TOKEN',
+        cookieOptions: {
+          httpOnly: true,
+          sameSite: 'strict',
+          secure: !dev,
+        },
+        size: 64,
+        ignoredMethods: ['GET', 'HEAD', 'OPTIONS'],
+      });
+
+      server.use(doubleCsrfProtection);
+
      server.use((req, res, next) => {
-        res.cookie('XSRF-TOKEN', req.csrfToken(), {
-          sameSite: true,
+        res.cookie('XSRF-TOKEN', generateToken(req, res), {
+          sameSite: 'strict',
          secure: !dev,
        });
        next();
--- a/server/lib/email/index.ts
+++ b/server/lib/email/index.ts
@@ -50,6 +50,7 @@ class PreparedEmail extends Email {
      },
      send: true,
      transport: transport,
+      preview: false,
    });
  }
 }