2025-12-17 13:33:31 -05:00
|
|
|
/**
|
|
|
|
|
* CSRF token utilities
|
|
|
|
|
* Generates and validates CSRF tokens to prevent cross-site request forgery
|
|
|
|
|
*/
|
|
|
|
|
import crypto from 'crypto';
|
|
|
|
|
|
|
|
|
|
const CSRF_TOKEN_LENGTH = 32;
|
|
|
|
|
const CSRF_TOKEN_EXPIRY = 3600000; // 1 hour in milliseconds
|
|
|
|
|
|
2025-12-19 11:59:00 -05:00
|
|
|
interface TokenData {
|
|
|
|
|
sessionId: string;
|
|
|
|
|
expiresAt: number;
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-17 13:33:31 -05:00
|
|
|
// In-memory token store (for production, use Redis or database)
|
2025-12-19 11:59:00 -05:00
|
|
|
const tokenStore: Map<string, TokenData> = new Map();
|
2025-12-17 13:33:31 -05:00
|
|
|
|
|
|
|
|
// Cleanup expired tokens periodically
|
|
|
|
|
setInterval(() => {
|
|
|
|
|
const now = Date.now();
|
|
|
|
|
for (const [token, data] of tokenStore.entries()) {
|
|
|
|
|
if (data.expiresAt < now) {
|
|
|
|
|
tokenStore.delete(token);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}, 300000); // Clean every 5 minutes
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Generate a new CSRF token
|
2025-12-19 11:59:00 -05:00
|
|
|
* @param sessionId - Unique identifier for the user session (e.g., cookie ID)
|
|
|
|
|
* @returns The generated CSRF token
|
2025-12-17 13:33:31 -05:00
|
|
|
*/
|
2025-12-19 11:59:00 -05:00
|
|
|
export function generateCsrfToken(sessionId: string): string {
|
2025-12-17 13:33:31 -05:00
|
|
|
const token = crypto.randomBytes(CSRF_TOKEN_LENGTH).toString('hex');
|
|
|
|
|
const expiresAt = Date.now() + CSRF_TOKEN_EXPIRY;
|
|
|
|
|
|
|
|
|
|
tokenStore.set(token, {
|
|
|
|
|
sessionId,
|
|
|
|
|
expiresAt,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Validate a CSRF token
|
2025-12-19 11:59:00 -05:00
|
|
|
* @param token - The token to validate
|
|
|
|
|
* @param sessionId - The session ID to validate against
|
|
|
|
|
* @returns True if token is valid, false otherwise
|
2025-12-17 13:33:31 -05:00
|
|
|
*/
|
2025-12-19 11:59:00 -05:00
|
|
|
export function validateCsrfToken(token: string | null | undefined, sessionId: string | null | undefined): boolean {
|
2025-12-17 13:33:31 -05:00
|
|
|
if (!token || !sessionId) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const data = tokenStore.get(token);
|
|
|
|
|
|
|
|
|
|
if (!data) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check expiry
|
|
|
|
|
if (data.expiresAt < Date.now()) {
|
|
|
|
|
tokenStore.delete(token);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check session ID match
|
|
|
|
|
if (data.sessionId !== sessionId) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Token is valid - consume it (one-time use)
|
|
|
|
|
tokenStore.delete(token);
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get token store size (for monitoring)
|
|
|
|
|
*/
|
2025-12-19 11:59:00 -05:00
|
|
|
export function getTokenStoreSize(): number {
|
2025-12-17 13:33:31 -05:00
|
|
|
return tokenStore.size;
|
|
|
|
|
}
|
