From 001bd1d004bf18566809af585c1753708757457b Mon Sep 17 00:00:00 2001
From: zadam <zadam.apps@gmail.com>
Date: Sun, 24 Mar 2019 23:03:30 +0100
Subject: [PATCH] fix csrf path so that it's valid only for current path and
 not whole (sub)domain

---
 src/routes/routes.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/routes/routes.js b/src/routes/routes.js
index cc925e605..4b7837cd2 100644
--- a/src/routes/routes.js
+++ b/src/routes/routes.js
@@ -40,7 +40,10 @@ const sql = require('../services/sql');
 const protectedSessionService = require('../services/protected_session');
 const csurf = require('csurf');
 
-const csrfMiddleware = csurf({ cookie: true });
+const csrfMiddleware = csurf({
+    cookie: true,
+    path: '' // nothing so cookie is valid only for current path
+});
 
 function apiResultHandler(req, res, result) {
     // if it's an array and first element is integer then we consider this to be [statusCode, response] format