Merge pull request #2259 from ministryofjustice/replace-csurf

Moving away from csurf and to csrf-sync
ministryofjustice · Dec 19, 2024 · a1670bd · a1670bd
2 parents 62eda52 + 0ad20d4
commit a1670bd
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 107 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -134,7 +134,7 @@
     "compression": "^1.7.4",
     "connect-flash": "^0.1.1",
     "connect-redis": "^7.0.0",
-    "csurf": "^1.11.0",
+    "csrf-sync": "^4.0.3",
     "date-fns": "^3.0.0",
     "dotenv": "^16.4.4",
     "express": "^4.21.0",
@@ -173,7 +173,6 @@
     "@types/compression": "^1.7.2",
     "@types/connect-flash": "0.0.40",
     "@types/cookie-session": "^2.0.44",
-    "@types/csurf": "^1.11.2",
     "@types/express-session": "^1.17.5",
     "@types/http-errors": "^2.0.0",
     "@types/jest": "^29.0.0",

diff --git a/server/middleware/setUpCsrf.ts b/server/middleware/setUpCsrf.ts
@@ -1,5 +1,5 @@
 import { Router } from 'express'
-import csurf from 'csurf'
+import { csrfSync } from 'csrf-sync'
 
 const testMode = process.env.NODE_ENV === 'test'
 
@@ -8,7 +8,17 @@ export default function setUpCsrf(): Router {
 
   // CSRF protection
   if (!testMode) {
-    router.use(csurf())
+    const {
+      csrfSynchronisedProtection, // This is the default CSRF protection middleware.
+    } = csrfSync({
+      // By default, csrf-sync uses x-csrf-token header, but we use the token in forms and send it in the request body, so change getTokenFromRequest so it grabs from there
+      getTokenFromRequest: req => {
+        // eslint-disable-next-line no-underscore-dangle
+        return req.body._csrf
+      },
+    })
+
+    router.use(csrfSynchronisedProtection)
   }
 
   router.use((req, res, next) => {