mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity
Files
3a98b7866197cf9c11c00a725bf3d2839211cc93
stack/apps/api/src/main.ts
Jason Woltje 3a98b78661
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/pr/woodpecker Pipeline failed
Details
fix: Complete CSRF protection implementation 
Closes three CSRF security gaps identified in code review:

1. Added X-CSRF-Token and X-Workspace-Id to CORS allowed headers
   - Updated apps/api/src/main.ts to accept CSRF token headers

2. Integrated CSRF token handling in web client
   - Added fetchCsrfToken() to fetch token from API
   - Store token in memory (not localStorage for security)
   - Automatically include X-CSRF-Token in POST/PUT/PATCH/DELETE
   - Implement automatic token refresh on 403 CSRF errors
   - Added comprehensive test coverage for CSRF functionality

3. Applied CSRF Guard globally
   - Added CsrfGuard as APP_GUARD in app.module.ts
   - Verified @SkipCsrf() decorator works for exempted endpoints

All tests passing. CSRF protection now enforced application-wide.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-04 07:12:42 -06:00

112 lines
3.1 KiB
TypeScript
Raw Blame History

import { NestFactory } from "@nestjs/core";
import { ValidationPipe } from "@nestjs/common";
import cookieParser from "cookie-parser";
import { AppModule } from "./app.module";
import { GlobalExceptionFilter } from "./filters/global-exception.filter";
function getPort(): number {
const portEnv = process.env.PORT;
if (portEnv === undefined || portEnv === "") {
return 3001;
}
const port = parseInt(portEnv, 10);
if (isNaN(port)) {
throw new Error(`Invalid PORT environment variable: "${portEnv}". PORT must be a number.`);
}
if (port < 1 || port > 65535) {
throw new Error(
`Invalid PORT environment variable: ${String(port)}. PORT must be between 1 and 65535.`
);
}
return port;
}
async function bootstrap() {
const app = await NestFactory.create(AppModule);
// Enable cookie parser for session handling
app.use(cookieParser());
// Enable global validation pipe with transformation
app.useGlobalPipes(
new ValidationPipe({
transform: true,
whitelist: true,
forbidNonWhitelisted: false,
transformOptions: {
enableImplicitConversion: false,
},
})
);
app.useGlobalFilters(new GlobalExceptionFilter());
// Configure CORS for cookie-based authentication
// SECURITY: Cannot use wildcard (*) with credentials: true
const allowedOrigins = [
process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
"http://localhost:3001", // API origin (dev)
"https://app.mosaicstack.dev", // Production web
"https://api.mosaicstack.dev", // Production API
];
app.enableCors({
origin: (
origin: string | undefined,
callback: (err: Error | null, allow?: boolean) => void
): void => {
// Allow requests with no origin (e.g., mobile apps, Postman)
if (!origin) {
callback(null, true);
return;
}
// Check if origin is in allowed list
if (allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error(`Origin ${origin} not allowed by CORS`));
}
},
credentials: true, // Required for cookie-based authentication
methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],
exposedHeaders: ["Set-Cookie"],
maxAge: 86400, // 24 hours - cache preflight requests
});
const port = getPort();
await app.listen(port);
console.log(`API running on http://localhost:${String(port)}`);
}
bootstrap().catch((err: unknown) => {
const isProduction = process.env.NODE_ENV === "production";
const errorMessage = err instanceof Error ? err.message : String(err);
const errorStack = err instanceof Error ? err.stack : undefined;
if (isProduction) {
console.error(
JSON.stringify({
level: "error",
message: "Failed to start application",
error: errorMessage,
timestamp: new Date().toISOString(),
})
);
} else {
console.error("Failed to start application:", errorMessage);
if (errorStack) {
console.error(errorStack);
}
}
process.exit(1);
});
Reference in New Issue View Git Blame Copy Permalink