From 495145e033d717b9ec39aa8763c0a66414093ee2 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Sun, 15 Mar 2026 19:33:06 +0200 Subject: [PATCH] chore(server): use random UUID for session ID --- apps/server/src/routes/csrf_protection.ts | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/apps/server/src/routes/csrf_protection.ts b/apps/server/src/routes/csrf_protection.ts index 17cba503a2..684d1ec81e 100644 --- a/apps/server/src/routes/csrf_protection.ts +++ b/apps/server/src/routes/csrf_protection.ts @@ -1,3 +1,4 @@ +import crypto from "crypto"; import { doubleCsrf } from "csrf-csrf"; import sessionSecret from "../services/session_secret.js"; @@ -5,6 +6,12 @@ import { isElectron } from "../services/utils.js"; export const CSRF_COOKIE_NAME = "trilium-csrf"; +// In Electron, API calls go through an IPC bypass (routes/electron.ts) that uses a +// FakeRequest with a static session ID, while the bootstrap request goes through real +// Express with a real session. This mismatch causes CSRF validation to always fail. +// We use a per-instance random identifier so each Electron process still gets unique tokens. +const electronSessionId = crypto.randomUUID(); + const doubleCsrfUtilities = doubleCsrf({ getSecret: () => sessionSecret, cookieOptions: { @@ -14,11 +21,7 @@ const doubleCsrfUtilities = doubleCsrf({ httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Trilium/pull/966 }, cookieName: CSRF_COOKIE_NAME, - // In Electron, API calls go through an IPC bypass (routes/electron.ts) that uses a - // FakeRequest with a static session ID, while the bootstrap request goes through real - // Express with a real session. This mismatch causes CSRF validation to always fail. - // Since Electron is a local single-user app, a constant identifier is acceptable here. - getSessionIdentifier: (req) => isElectron ? "electron" : req.session.id + getSessionIdentifier: (req) => isElectron ? electronSessionId : req.session.id }); export const { generateCsrfToken, doubleCsrfProtection } = doubleCsrfUtilities;