comments

charmingduchess · charmingduchess · commit 88da3aadb098 · 2025-02-11T23:05:46.000-05:00
diff --git a/src/utils/api.ts b/src/utils/api.ts
@@ -244,7 +244,7 @@ function invalidCsrfResponse(res) {
 export async function validateAddress(req, res, appObj = app) {
   const tokenObject = appObj["tokenObject"];
   const parsedTokenFromRequestBody = parseTokenFromPostRequestCookies(req);
-  const csrfTokenValid = validateCsrfToken(req, parsedTokenFromRequestBody);
+  const csrfTokenValid = validateCsrfToken(req);
   if (!parsedTokenFromRequestBody) {
     const newToken = generateNewToken();
     setCsrfTokenCookie(res, newToken);
diff --git a/src/utils/utils.ts b/src/utils/utils.ts
@@ -92,6 +92,18 @@ const generateSecret = () => {
   );
 };
 
+// Creates a cookie like 'next-auth.csrf-token' with the value 'token|hash',
+// where 'token' is the CSRF token and 'hash' is a hash made of the token and
+// the secret, and the two values are joined by a pipe '|'. By storing the
+// value and the hash of the value (with the secret used as a salt) we can
+// verify the cookie was set by the server and not by a malicous attacker.
+const generateNewCookieToken = (csrfToken) => {
+  return `${csrfToken}|${createHash("sha256")
+    .update(`${csrfToken}${generateSecret()}`)
+    .digest("hex")}`;
+};
+
+// Parses token and hash generated by generateNewCookieToken.
 const parseTokenFromPostRequestCookies = (req) => {
   let value, hash;
   if (req.cookies[cookie.metadata().csrfToken.name]) {
@@ -102,35 +114,28 @@ const parseTokenFromPostRequestCookies = (req) => {
 
 /**
  * validateCsrfToken
- * Function to verify a csrf token based on code from `next-auth`
- * and modified for our purposes:
+ * Function to verify a csrf token once upon a time based on code from
+ * `next-auth` and modified for our purposes, now heavily refacotred:
  * https://github.com/nextauthjs/next-auth/blob/main/src/server/index.js
- * Most comments are kept in place but some were added for clarity.
+ *
+ * For more details, see the following OWASP links:
+ *  https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
+ *  https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
  */
 const validateCsrfToken = (req) => {
-  const tokenValueFromPostRequestBody = req.body?.csrfToken;
+  const tokenFromRequestBody = req.body?.csrfToken;
   const tokenFromRequestCookie = parseTokenFromPostRequestCookies(req);
-  // Ensure CSRF Token cookie is set for any subsequent requests.
-  // Used as part of the strategy for mitigation for CSRF tokens.
-  //
-  // Creates a cookie like 'next-auth.csrf-token' with the value 'token|hash',
-  // where 'token' is the CSRF token and 'hash' is a hash made of the token and
-  // the secret, and the two values are joined by a pipe '|'. By storing the
-  // value and the hash of the value (with the secret used as a salt) we can
-  // verify the cookie was set by the server and not by a malicous attacker.
-  //
-  // For more details, see the following OWASP links:
-  // https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
-  // https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
 
   if (postRequestHashMatchesServerHash(tokenFromRequestCookie)) {
     return (
       req.method === "POST" &&
-      tokenFromRequestCookie.value === tokenValueFromPostRequestBody
+      tokenFromRequestCookie.value === tokenFromRequestBody
     );
   } else return false;
 };
 
+// Validate that the token value from the request cookies generates what the 
+// server knows to be a valid hash
 const postRequestHashMatchesServerHash = (tokenFromRequestCookie) => {
   return (
     tokenFromRequestCookie.hash ===
@@ -140,6 +145,8 @@ const postRequestHashMatchesServerHash = (tokenFromRequestCookie) => {
   );
 };
 
+// Ensure CSRF Token cookie is set for any subsequent requests.
+// Used as part of the strategy for mitigation for CSRF tokens.
 const setCsrfTokenCookie = (res, csrfToken) => {
   const newCsrfTokenCookie = generateNewCookieToken(csrfToken);
   cookie.set(
@@ -154,15 +161,6 @@ const generateNewToken = () => {
   return randomBytes(32).toString("hex");
 };
 
-const generateNewCookieToken = (csrfToken) => {
-  // If there is no csrfToken because it's not been set yet or because
-  // the hash doesn't match (e.g. because it's been modified or because the
-  // secret has changed), then create a new token and create a cookie.
-  return `${csrfToken}|${createHash("sha256")
-    .update(`${csrfToken}${generateSecret()}`)
-    .digest("hex")}`;
-};
-
 export {
   redirectIfUserHasRegistered,
   homePageRedirect,
