From 9b9919e847a1543ee52dc42b9040705da90fe285 Mon Sep 17 00:00:00 2001
From: Jamie Slome <jamie.slome@citi.com>
Date: Fri, 22 Mar 2024 12:59:02 +0000
Subject: [PATCH] fix: re-introduce csrf with lusca

---
 package-lock.json    | 20 ++++++++++++++++++++
 package.json         |  1 +
 src/service/index.js |  2 ++
 3 files changed, 23 insertions(+)

diff --git a/package-lock.json b/package-lock.json
index e5e96e79..8911c0c6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -31,6 +31,7 @@
         "jsonschema": "^1.4.1",
         "load-plugin": "^6.0.0",
         "lodash": "^4.17.21",
+        "lusca": "^1.7.0",
         "moment": "^2.29.4",
         "mongodb": "^5.0.0",
         "nodemailer": "^6.6.1",
@@ -7027,6 +7028,17 @@
         "yallist": "^3.0.2"
       }
     },
+    "node_modules/lusca": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/lusca/-/lusca-1.7.0.tgz",
+      "integrity": "sha512-msnrplCfY7zaqlZBDEloCIKld+RUeMZVeWzSPaGUKeRXFlruNSdKg2XxCyR+zj6BqzcXhXlRnvcvx6rAGgsvMA==",
+      "dependencies": {
+        "tsscmp": "^1.0.5"
+      },
+      "engines": {
+        "node": ">=0.8.x"
+      }
+    },
     "node_modules/make-dir": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-3.1.0.tgz",
@@ -9716,6 +9728,14 @@
       "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.2.tgz",
       "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q=="
     },
+    "node_modules/tsscmp": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
+      "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==",
+      "engines": {
+        "node": ">=0.6.x"
+      }
+    },
     "node_modules/type-check": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
diff --git a/package.json b/package.json
index 73fdc7a5..c5906c2b 100644
--- a/package.json
+++ b/package.json
@@ -44,6 +44,7 @@
     "jsonschema": "^1.4.1",
     "load-plugin": "^6.0.0",
     "lodash": "^4.17.21",
+    "lusca": "^1.7.0",
     "moment": "^2.29.4",
     "mongodb": "^5.0.0",
     "nodemailer": "^6.6.1",
diff --git a/src/service/index.js b/src/service/index.js
index 48aa08c9..aa9bd8b4 100644
--- a/src/service/index.js
+++ b/src/service/index.js
@@ -4,6 +4,7 @@ const http = require('http');
 const cors = require('cors');
 const app = express();
 const rateLimit = require('express-rate-limit');
+const lusca = require('lusca');
 
 const limiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
@@ -40,6 +41,7 @@ const start = async () => {
   app.use(express.json());
   app.use(express.urlencoded({ extended: true }));
   app.use('/', routes);
+  app.use(lusca.csrf());
 
   await _httpServer.listen(uiPort);