From 84bf2fe74a2ec2e932cd5084bd995c7b55300629 Mon Sep 17 00:00:00 2001
From: Matt Strapp <matt@mattstrapp.net>
Date: Mon, 14 Feb 2022 20:39:37 -0600
Subject: Reorder middleware for "security"

Signed-off-by: Matt Strapp <matt@mattstrapp.net>
---
 src/routes/api.ts | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'src/routes')

diff --git a/src/routes/api.ts b/src/routes/api.ts
index 4d55626..ab0ff26 100644
--- a/src/routes/api.ts
+++ b/src/routes/api.ts
@@ -11,6 +11,12 @@ import { spawn } from 'child_process';
 
 const api = express.Router();
 
+// Use JSON parser for API requests and responses
+api.use(express.json());
+// CSRF protection
+api.use(cookieParser());
+const csrf = csurf({ cookie: true });
+
 // For file uploads
 api.use(fileUpload({
     preserveExtension: true, // Preserve file extension on upload
@@ -21,12 +27,6 @@ api.use(fileUpload({
     debug: false, // Log debug information
 }));
 
-// CSRF protection
-api.use(cookieParser());
-const csrf = csurf({ cookie: true });
-
-// Use JSON parser for API requests and responses
-api.use(express.json());
 
 /*
     Upload a file to the server
@@ -101,6 +101,7 @@ api.route('/upload')
 
 */
 api.route('/actuate')
+    // Snyk error mitigation, should be fine since the rate limiting is already in place
     // file deepcode ignore NoRateLimitingForExpensiveWebOperation: This is already rate limited by the website, so we don't need to do it again
     .post(csrf, async (req: Request, res: Response) => {
         // Make sure the file being requested to run exists
-- 
cgit v1.2.3