From 6f6041ee7b954fe70e5cf0615e04ca6a716d6a44 Mon Sep 17 00:00:00 2001
From: Elian Doran <contact@eliandoran.me>
Date: Thu, 15 May 2025 20:39:31 +0300
Subject: [PATCH] fix(server): migrate csrf to v4

---
 apps/server/src/routes/csrf_protection.ts | 5 +++--
 apps/server/src/routes/index.ts           | 9 +++++----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/apps/server/src/routes/csrf_protection.ts b/apps/server/src/routes/csrf_protection.ts
index 391be0aaa..bd382e369 100644
--- a/apps/server/src/routes/csrf_protection.ts
+++ b/apps/server/src/routes/csrf_protection.ts
@@ -10,7 +10,8 @@ const doubleCsrfUtilities = doubleCsrf({
         sameSite: "strict",
         httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
     },
-    cookieName: "_csrf"
+    cookieName: "_csrf",
+    getSessionIdentifier: (req) => req.session.id
 });
 
-export const { generateToken, doubleCsrfProtection } = doubleCsrfUtilities;
+export const { generateCsrfToken, doubleCsrfProtection } = doubleCsrfUtilities;
diff --git a/apps/server/src/routes/index.ts b/apps/server/src/routes/index.ts
index 79a40f186..5a907cee4 100644
--- a/apps/server/src/routes/index.ts
+++ b/apps/server/src/routes/index.ts
@@ -10,7 +10,7 @@ import protectedSessionService from "../services/protected_session.js";
 import packageJson from "../../package.json" with { type: "json" };
 import assetPath from "../services/asset_path.js";
 import appPath from "../services/app_path.js";
-import { generateToken as generateCsrfToken } from "./csrf_protection.js";
+import { generateCsrfToken } from "./csrf_protection.js";
 
 import type { Request, Response } from "express";
 import type BNote from "../becca/entities/bnote.js";
@@ -19,9 +19,10 @@ function index(req: Request, res: Response) {
     const options = optionService.getOptionMap();
     const view = getView(req);
 
-    //'overwrite' set to false (default) => the existing token will be re-used and validated
-    //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
-    const csrfToken = generateCsrfToken(req, res, false, false);
+    const csrfToken = generateCsrfToken(req, res, {
+        overwrite: true,
+        validateOnReuse: false      // if validation fails, generate a new token instead of throwing an error
+    });
     log.info(`CSRF token generation: ${csrfToken ? "Successful" : "Failed"}`);
 
     // We force the page to not be cached since on mobile the CSRF token can be