mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#338): Bind CSRF token to user session with HMAC

Browse Source 
- Token now includes HMAC binding to session ID
- Validates session binding on verification
- Adds CSRF_SECRET configuration requirement
- Requires authentication for CSRF token endpoint
- 51 new tests covering session binding security

Security: CSRF tokens are now cryptographically tied to user sessions,
preventing token reuse across sessions and mitigating session fixation
attacks.

Token format: {random_part}:{hmac(random_part + user_id, secret)}

Refs #338

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-05 16:33:22 -06:00
parent 7f3cd17488
commit 7390cac2cc
8 changed files with 703 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/api/src/app.module.ts
View File

@@ -4,6 +4,7 @@ import { ThrottlerModule } from "@nestjs/throttler";
import { BullModule } from "@nestjs/bullmq";
import { ThrottlerValkeyStorageService, ThrottlerApiKeyGuard } from "./common/throttler";
import { CsrfGuard } from "./common/guards/csrf.guard";
import { CsrfService } from "./common/services/csrf.service";
import { AppController } from "./app.controller";
import { AppService } from "./app.service";
import { CsrfController } from "./common/controllers/csrf.controller";
@@ -94,6 +95,7 @@ import { FederationModule } from "./federation/federation.module";
controllers: [AppController, CsrfController],
providers: [
AppService,
CsrfService,
{
provide: APP_INTERCEPTOR,
useClass: TelemetryInterceptor,