1
0
mirror of https://git.sr.ht/~cadence/bibliogram synced 2024-11-25 01:17:29 +00:00

Remove CSRF protection

This commit is contained in:
Cadence Ember 2022-03-05 19:25:22 +13:00
parent a6094a37ec
commit 6b667f5f00

View File

@ -41,7 +41,24 @@ function getSettings(req) {
return addDefaults() return addDefaults()
} }
/*
* CSRF tokens were previously used here to reduce an attack vector, but have now been removed.
*
* In a CSRF attack, an attack with a website can forge POST requests to Bibliogram that execute in the visitor's browser. Since the request is first-party, it will include cookies. Therefore a crafted form could override the user's preferences.
*
* This was removed because:
* - Instance redirector extensions can now issue a POST to set consistent preferences
* - The chance of somebody choosing to troll visitors is low
* - The impact if this occurs is low: the worst that can happen is somebody's preferences are erased, which they can simply change back
* - The more popular Invidious does not see it necessary to use CSRF protection
* - The implementation wasn't totally secure anyway.
*
* The code remains, but generateCSRF and checkCSRF have been set to always accept.
*/
function generateCSRF() { function generateCSRF() {
return "x"
const token = crypto.randomBytes(16).toString("hex") const token = crypto.randomBytes(16).toString("hex")
const expires = Date.now() + constants.caching.csrf_time const expires = Date.now() + constants.caching.csrf_time
db.prepare("INSERT INTO CSRFTokens (token, expires) VALUES (?, ?)").run(token, expires) db.prepare("INSERT INTO CSRFTokens (token, expires) VALUES (?, ?)").run(token, expires)
@ -49,6 +66,8 @@ function generateCSRF() {
} }
function checkCSRF(token) { function checkCSRF(token) {
return true
const row = db.prepare("SELECT * FROM CSRFTokens WHERE token = ? AND expires > ?").get(token, Date.now()) const row = db.prepare("SELECT * FROM CSRFTokens WHERE token = ? AND expires > ?").get(token, Date.now())
if (row) { if (row) {
db.prepare("DELETE FROM CSRFTokens WHERE token = ?").run(token) db.prepare("DELETE FROM CSRFTokens WHERE token = ?").run(token)