From 160e299631c5a1741e93cfb0681c9218b5898d34 Mon Sep 17 00:00:00 2001
From: Matt Strapp <matt@mattstrapp.net>
Date: Thu, 10 Feb 2022 14:37:15 -0600
Subject: Add CSRF cookie and make it somewhat secure

Signed-off-by: Matt Strapp <matt@mattstrapp.net>
---
 package.json |  2 ++
 src/index.ts |  7 +++++--
 yarn.lock    | 15 +++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index c47b57d..50cc603 100644
--- a/package.json
+++ b/package.json
@@ -1,5 +1,6 @@
 {
     "dependencies": {
+        "cookie-parser": "^1.4.6",
         "csurf": "^1.11.0",
         "ejs": "^3.1.6",
         "express": "^4.17.2",
@@ -9,6 +10,7 @@
         "helmet": "^5.0.2"
     },
     "devDependencies": {
+        "@types/cookie-parser": "^1.4.2",
         "@types/csurf": "^1.11.2",
         "@types/express": "^4.17.13",
         "@types/express-session": "^1.17.4",
diff --git a/src/index.ts b/src/index.ts
index e396151..a456313 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -6,15 +6,18 @@ import path from 'path';
 import { env } from 'process';
 import helmet from 'helmet';
 import csurf from 'csurf';
+import cookieParser from 'cookie-parser';
+import { randomBytes } from 'crypto';
 
 const app = express();
 
 // Middleware
 const port: string = env.PORT || '2000';
 
-const csrf = csurf({ cookie: false });
+app.use(cookieParser());
+const csrf = csurf({ cookie: true });
 app.use(session({
-    secret: 'keyboard cat',
+    secret: randomBytes(50).toString('base64'),
     resave: false,
     saveUninitialized: true,
     cookie: {
diff --git a/yarn.lock b/yarn.lock
index f6a0219..cdf10fe 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -79,6 +79,13 @@
   dependencies:
     "@types/node" "*"
 
+"@types/cookie-parser@^1.4.2":
+  version "1.4.2"
+  resolved "https://registry.yarnpkg.com/@types/cookie-parser/-/cookie-parser-1.4.2.tgz#e4d5c5ffda82b80672a88a4281aaceefb1bd9df5"
+  integrity sha512-uwcY8m6SDQqciHsqcKDGbo10GdasYsPCYkH3hVegj9qAah6pX5HivOnOuI3WYmyQMnOATV39zv/Ybs0bC/6iVg==
+  dependencies:
+    "@types/express" "*"
+
 "@types/csurf@^1.11.2":
   version "1.11.2"
   resolved "https://registry.yarnpkg.com/@types/csurf/-/csurf-1.11.2.tgz#c1cba70f7af653c508b28db047e6c1be72411345"
@@ -547,6 +554,14 @@ content-type@~1.0.4:
   resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b"
   integrity sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==
 
+cookie-parser@^1.4.6:
+  version "1.4.6"
+  resolved "https://registry.yarnpkg.com/cookie-parser/-/cookie-parser-1.4.6.tgz#3ac3a7d35a7a03bbc7e365073a26074824214594"
+  integrity sha512-z3IzaNjdwUC2olLIB5/ITd0/setiaFMLYiZJle7xg5Fe9KWAceil7xszYfHHBtDFYLSgJduS2Ty0P1uJdPDJeA==
+  dependencies:
+    cookie "0.4.1"
+    cookie-signature "1.0.6"
+
 cookie-signature@1.0.6:
   version "1.0.6"
   resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.6.tgz#e303a882b342cc3ee8ca513a79999734dab3ae2c"
-- 
cgit v1.2.3