jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/middleware/01.csrf.js
Jennie Robinson Faber 26c300c357 Implement OWASP ASVS L1 security remediation (Phases 0-2) 
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.
2026-03-01 12:53:18 +00:00

46 lines
1.3 KiB
JavaScript
Raw Blame History

import crypto from 'crypto'
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])
// Routes exempt from CSRF (external webhooks, magic link verify)
const EXEMPT_PREFIXES = [
'/api/helcim/webhook',
'/api/slack/webhook',
'/api/auth/verify',
]
function isExempt(path) {
return EXEMPT_PREFIXES.some(prefix => path.startsWith(prefix))
}
export default defineEventHandler((event) => {
const method = getMethod(event)
const path = getRequestURL(event).pathname
// Always set a CSRF token cookie if one doesn't exist
let csrfToken = getCookie(event, 'csrf-token')
if (!csrfToken) {
csrfToken = crypto.randomBytes(32).toString('hex')
setCookie(event, 'csrf-token', csrfToken, {
httpOnly: false, // Must be readable by JS to include in requests
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/'
})
}
// Only check state-changing methods
if (SAFE_METHODS.has(method)) return
if (!path.startsWith('/api/')) return
if (isExempt(path)) return
// Double-submit cookie check: header must match cookie
const headerToken = getHeader(event, 'x-csrf-token')
if (!headerToken || headerToken !== csrfToken) {
throw createError({
statusCode: 403,
statusMessage: 'CSRF token missing or invalid'
})
}
})
Reference in a new issue View git blame Copy permalink