CSRF Protection

package.json

@@ -10,8 +10,11 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
+    "axios": "^1.7.9",
     "bcryptjs": "^2.4.3",
+    "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
+    "csrf-csrf": "^3.1.0",
     "dotenv": "^16.4.7",
     "express": "^4.21.1",
     "express-favicon": "^2.0.4",
@@ -20,7 +23,6 @@
     "mongoose": "^8.8.2",
     "morgan": "^1.10.0",
     "punycode": "^2.3.1",
-    "axios": "^1.7.9",
     "express-mongo-sanitize": "^2.2.0",
     "express-rate-limit": "^7.4.1",
     "helmet": "^8.0.0",

src/app.js

@@ -1,5 +1,4 @@
-require("dotenv").config(); // Make sure this is at the top
-
+require("dotenv").config();
 const express = require("express");
 const app = express();
 
@@ -9,18 +8,32 @@ const logger = require('morgan');
 const helmet = require("helmet");
 const rateLimit = require("express-rate-limit");
 const mongoSanitize = require("express-mongo-sanitize");
+const cookieParser = require("cookie-parser");
+const { doubleCsrf } = require("csrf-csrf");
 const notFoundMiddleware = require('./middleware/not_found');
 const errorHandleMiddleware = require('./middleware/error_handler');
 
-
 const mainRouter = require('./routes/mainRouter.js');
 const userRouter = require('./routes/user');
 const itineraryRouter = require('./routes/itineraryRouter');
 const ticketmasterRouter = require("./routes/ticketmasterRouter.js");
 
+// Initialize CSRF protection
+const { generateToken, doubleCsrfProtection } = doubleCsrf({
+  getSecret: () => "your-secret-key-min-32-chars-long",
+  cookieName: "x-csrf-token",
+  cookieOptions: {
+    httpOnly: true,
+    sameSite: "strict",
+    secure: process.env.NODE_ENV === "production",
+  },
+  size: 64,
+  getTokenFromRequest: (req) => req.headers["x-csrf-token"],
+});
 
 // Middleware
 app.use(cors());
+app.use(cookieParser());
 app.use(express.json());
 app.use(express.urlencoded({ extended: false }));
 app.use(logger("dev"));
@@ -34,14 +47,18 @@ const apiLimiter = rateLimit({
   max: 200, // Limit each IP to 200 requests per windowMs
 });
 
+// Generate CSRF token and attach to response
+app.use((req, res, next) => {
+  res.cookie("x-csrf-token", generateToken(req, res));
+  next();
+});
 
-
-// routes
+//Routes
 app.use("/api", apiLimiter);
-app.use('/api/v1', mainRouter);
+app.use("/api/ticketmaster", ticketmasterRouter);
+app.use("/api/v1", doubleCsrfProtection, mainRouter);
 app.use('/api/v1/user', userRouter);
 app.use('/api/v1/itinerary', itineraryRouter);
-app.use("/api/v1/ticketmaster", ticketmasterRouter);
 
 // error handling middleware
 app.use(notFoundMiddleware);

src/routes/ticketmasterRouter.js

@@ -9,11 +9,9 @@ ticketmasterRouter.get(
   searchEvents
 );
 
-
 module.exports = ticketmasterRouter;
 
 //The API endpoint will work with formats:
-//   /api/v1/ticketmaster/events/Seattle/WA/2024-02-01/2024-02-05
-//   /api/v1/ticketmaster/events/Seattle/WA/null/2024-02-01
-//   /api/v1/ticketmaster/events/Seattle/WA//2024-02-01
-//   /api/v1/ticketmaster/events/Seattle/WA
+//   /api/ticketmaster/events/Seattle/WA?startDateTime=2024-02-01&endDateTime=2024-02-05
+//   /api/ticketmaster/events/Seattle/WA?endDateTime=2024-02-01
+//   /api/ticketmaster/events/Seattle/WA