mosaic/stack
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases 2 Wiki Activity

fix(#278): Implement CSRF protection using double-submit cookie pattern
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Implemented comprehensive CSRF protection for all state-changing endpoints
(POST, PATCH, DELETE) using the double-submit cookie pattern.

Security Implementation:
- Created CsrfGuard using double-submit cookie validation
- Token set in httpOnly cookie and validated against X-CSRF-Token header
- Applied guard to FederationController (vulnerable endpoints)
- Safe HTTP methods (GET, HEAD, OPTIONS) automatically exempted
- Signature-based endpoints (@SkipCsrf decorator) exempted

Components Added:
- CsrfGuard: Validates cookie and header token match
- CsrfController: GET /api/v1/csrf/token endpoint for token generation
- @SkipCsrf(): Decorator to exempt endpoints with alternative auth
- Comprehensive tests (20 tests, all passing)

Protected Endpoints:
- POST /api/v1/federation/connections/initiate
- POST /api/v1/federation/connections/:id/accept
- POST /api/v1/federation/connections/:id/reject
- POST /api/v1/federation/connections/:id/disconnect
- POST /api/v1/federation/instance/regenerate-keys

Exempted Endpoints:
- POST /api/v1/federation/incoming/connect (signature-verified)
- GET requests (safe methods)

Security Features:
- httpOnly cookies prevent XSS attacks
- SameSite=strict prevents subdomain attacks
- Cryptographically secure random tokens (32 bytes)
- 24-hour token expiry
- Structured logging for security events

Testing:
- 14 guard tests covering all scenarios
- 6 controller tests for token generation
- Quality gates: lint, typecheck, build all passing

Note: Frontend integration required to use tokens. Clients must:
1. GET /api/v1/csrf/token to receive token
2. Include token in X-CSRF-Token header for state-changing requests

Fixes #278

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-03 20:34:03 -06:00
parent 001a44532d
commit ebd842f007
8 changed files with 572 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
apps/api/src/common/decorators/skip-csrf.decorator.ts Normal file
View File

@@ -0,0 +1,20 @@
/**
* Skip CSRF Decorator
*
* Marks an endpoint to skip CSRF protection.
* Use for endpoints that have alternative authentication (e.g., signature verification).
*
* @example
* ```typescript
* @Post('incoming/connect')
* @SkipCsrf()
* async handleIncomingConnection() {
* // Signature-based authentication, no CSRF needed
* }
* ```
*/
import { SetMetadata } from "@nestjs/common";
import { SKIP_CSRF_KEY } from "../guards/csrf.guard";
export const SkipCsrf = () => SetMetadata(SKIP_CSRF_KEY, true);