From 0a0cac5f41df0b867d0644fa392abb7a0ad4507a Mon Sep 17 00:00:00 2001 From: zadam Date: Wed, 29 May 2019 23:13:15 +0200 Subject: [PATCH] added extra logging for debugging CSRF issues --- src/app.js | 12 ++++++++++++ src/routes/index.js | 6 +++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/app.js b/src/app.js index 660de2320..e2625db00 100644 --- a/src/app.js +++ b/src/app.js @@ -67,6 +67,18 @@ require('./routes/routes').register(app); require('./routes/custom').register(app); +app.use((err, req, res, next) => { + if (err.code !== 'EBADCSRFTOKEN') { + return next(err); + } + + log.error(`Invalid CSRF token: ${req.headers['x-csrf-token']}, secret: ${req.cookies['_csrf']}`); + + err = new Error('Invalid CSRF token'); + err.status = 403; + next(err); +}); + // catch 404 and forward to error handler app.use((req, res, next) => { const err = new Error('Router not found for request ' + req.url); diff --git a/src/routes/index.js b/src/routes/index.js index 30cb87895..d41a3dc74 100644 --- a/src/routes/index.js +++ b/src/routes/index.js @@ -5,14 +5,18 @@ const sql = require('../services/sql'); const attributeService = require('../services/attributes'); const config = require('../services/config'); const optionService = require('../services/options'); +const log = require('../services/log'); async function index(req, res) { const options = await optionService.getOptionsMap(); const view = req.cookies['trilium-device'] === 'mobile' ? 'mobile' : 'desktop'; + const csrfToken = req.csrfToken(); + log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader('set-cookie')}`); + res.render(view, { - csrfToken: req.csrfToken(), + csrfToken: csrfToken, theme: options.theme, leftPaneMinWidth: parseInt(options.leftPaneMinWidth), leftPaneWidthPercent: parseInt(options.leftPaneWidthPercent),