Skip to content

chore(deps): update dependency csrf-csrf to v4 #1799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency csrf-csrf to v4 #1799

wants to merge 5 commits into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 28, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
csrf-csrf 3.2.2 -> 4.0.2 age adoption passing confidence

Release Notes

Psifi-Solutions/csrf-csrf (csrf-csrf)

v4.0.2

Compare Source

Bug Fixes

v4.0.1

Compare Source

Bug Fixes
  • correctly skip CSRF token validation when validateOnReuse is false (bcaf1c3)

v4.0.0

Compare Source

⚠ BREAKING CHANGES

This list may not be an exhaustive list of breaking changes, for more information consult the version 3 -> 4 upgrade guide and the updated configuration documentation in the README.

  • Token generation now uses createHmac, the format has changed significantly, see the CSRF token format section of the upgrade guide.
  • getSessionIdentifier is now required and must return a unique identifier per-request (and per-session) - this is an essential part of CSRF token security
  • getTokenFromRequest renamed to getCsrfTokenFromRequest
  • generateToken renamed to generateCsrfToken
  • overwrite and validateOnReuse parameters for generateCsrfToken have been merged into a single object parameter which also accepts cookieOptions: generateCsrfToken(req, res, options);
  • Default value for validateOnReuse is now false
  • Default value for cookieOptions.sameSite is now strict
  • cookieOptions.signed is no longer available, CSRF tokens are inherently signed, this is redundant
  • delimiter option removed, csrfTokenDelimiter and messageDelimiter are now used for the respective purpose
  • signed option in cookieOptions config option removed (redundant), csrf tokens generated by csrf-csrf are inherently signed
  • size config option now sets the size of the message used to construct the hmac, now defaults to 32 instead of 64, this is combined with the return value of getSessionIdentifier to construct the hmac payload
  • Type CsrfTokenCookieOverrides renamed to CsrfTokenCookieOptions
  • Type CsrfTokenCreator renamed to CsrfTokenGenerator
  • Type doubleCsrfProtection renamed to DoubleCsrfProtection
  • Type RequestMethod renamed to CsrfRequestMethod
  • Type CsrfIgnoredMethods renamed to CsrfIgnoredRequestMethods
Features
  • change default value of sameSite to 'strict' (ba5973e)
  • change validateOnReuse to false by default (5fc62a9)
  • expose per token cookie settings (#​60) (456b317)
  • types: add CsrfTokenGeneratorRequestUtil type (72fd659)
  • use hmac to generate csrf tokens (e4c5ec3)
3.2.2 (2025-04-24)
Bug Fixes
  • types: fix incorrect type for Request#csrfToken (cf3dfe2), closes #​95
3.2.1 (2025-04-20)

No changes, just re-published the botched 3.2.0

Configuration

📅 Schedule: Branch creation - "before 3am" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies PRs or issues relating to dependencies renovate labels Apr 28, 2025
@renovate renovate bot force-pushed the renovate/csrf-csrf-4.x branch from c485412 to d9b7e86 Compare May 2, 2025 18:07
@renovate renovate bot changed the title fix(deps): update dependency csrf-csrf to v4 chore(deps): update dependency csrf-csrf to v4 May 2, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2025
edited
Loading

Folder/File Previous size New size Difference
/upload/TriliumNextNotes-Server-1799-merge-linux-x64.tar.xz 69MB +69MB (+100.00%)
TOTAL +69MB

@renovate renovate bot force-pushed the renovate/csrf-csrf-4.x branch from d9b7e86 to 3e10746 Compare May 2, 2025 20:08
@eliandoran eliandoran marked this pull request as draft May 10, 2025 15:26
@renovate renovate bot force-pushed the renovate/csrf-csrf-4.x branch from 7333765 to 2c1517d Compare May 15, 2025 16:12
@eliandoran eliandoran requested a review from pano9000 May 15, 2025 17:40
@eliandoran eliandoran marked this pull request as ready for review May 15, 2025 17:40
@renovate Renovate
Copy link
Contributor Author

renovate bot commented May 15, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

pano9000
pano9000 reviewed May 15, 2025
View reviewed changes
apps/server/src/routes/index.ts Outdated
//'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
const csrfToken = generateCsrfToken(req, res, false, false);
const csrfToken = generateCsrfToken(req, res, {
overwrite: true,
Copy link
Member

@pano9000 pano9000 May 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setting overwrite: true will cause issues to people that use the Server build and open up the interface on separate browser tabs (not Trilium internal tabs, but actual browser tabs)

it is explained in the packages README as well:

If overwrite is set to true, the function will generate a new token and cookie each time it is invoked. This behavior can potentially lead to certain complications, particularly when multiple tabs are being used to interact with your web application. In such scenarios, the creation of new cookies with every call to the function can disrupt the proper functioning of your web app across different tabs, as the changes might not be synchronised effectively (you would need to write your own synchronisation logic).

I assume you went this way because of the following?
https://github.com/Psifi-Solutions/csrf-csrf/blob/HEAD/UPGRADING.md#zero-downtime-upgrade-zdu

Deleting the existing cookie should be enough to fix that issue though (in theory -> I didn't test locally yet though).

edit:
btw: I was experiencing the exact same issue, back when I introduced csrf-csrf :-)

edit 2:
Alternative idea to fix this:
if we rename the cookie from "_csrf" to anything else, that should also "workaround" the issue.
I was anyways thinking if we maybe wanted to rename it to include "trilium" in the name anyways

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pano9000 , I think changing the name of the cookie is the way to go.

pano9000
pano9000 approved these changes May 16, 2025
View reviewed changes
Copy link
Member

@pano9000 pano9000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eliandoran eliandoran eliandoran left review comments

@pano9000 pano9000 pano9000 approved these changes

Assignees
No one assigned
Labels
dependencies PRs or issues relating to dependencies renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eliandoran @pano9000