@quanticjs/auth-web-bff 5.1.0 → 5.3.0

package/dist/bff.controller.js

@@ -46,6 +46,7 @@ let BffController = class BffController {
         try {
             const { sessionId, returnTo } = await this.bffService.handleCallback(code, state, codeVerifier);
             res.cookie(this.bffService.getCookieName(), sessionId, this.bffService.getCookieOptions());
+            res.cookie(this.bffService.getCsrfCookieName(), this.bffService.generateCsrfToken(), this.bffService.getCsrfCookieOptions());
             res.redirect(returnTo);
         }
         catch {
@@ -53,6 +54,12 @@ let BffController = class BffController {
         }
     }
     async refresh(req, res) {
+        const csrfHeader = req.headers['x-csrf-token'];
+        const csrfCookie = req.cookies?.[this.bffService.getCsrfCookieName()];
+        if (!this.bffService.validateCsrf(csrfHeader, csrfCookie)) {
+            res.status(403).json({ message: 'Invalid CSRF token' });
+            return;
+        }
         const sessionId = req.cookies?.[this.bffService.getCookieName()];
         if (!sessionId) {
             res.status(401).json({ message: 'No session' });
@@ -66,12 +73,21 @@ let BffController = class BffController {
         res.json({ success: true });
     }
     async logout(req, res) {
+        const csrfHeader = req.headers['x-csrf-token'];
+        const csrfCookie = req.cookies?.[this.bffService.getCsrfCookieName()];
+        if (!this.bffService.validateCsrf(csrfHeader, csrfCookie)) {
+            res.status(403).json({ message: 'Invalid CSRF token' });
+            return;
+        }
         const cookieName = this.bffService.getCookieName();
         const sessionId = req.cookies?.[cookieName];
         if (sessionId) {
             await this.bffService.destroySession(sessionId);
         }
-        res.clearCookie(cookieName, this.bffService.getCookieOptions()).json({ success: true });
+        res
+            .clearCookie(cookieName, this.bffService.getCookieOptions())
+            .clearCookie(this.bffService.getCsrfCookieName(), this.bffService.getCsrfCookieOptions())
+            .json({ success: true });
     }
     async me(req, res) {
         const cookieName = this.bffService.getCookieName();

package/dist/bff.service.d.ts

@@ -10,6 +10,7 @@ export declare class BffService implements OnModuleInit {
     private readonly sessionTtl;
     private readonly sessionPrefix;
     private readonly cookieName;
+    private readonly csrfCookieName;
     constructor(options: BffModuleOptions, redis: Redis | undefined);
     onModuleInit(): Promise<void>;
     getAuthorizationUrl(returnTo?: string): {
@@ -27,6 +28,10 @@ export declare class BffService implements OnModuleInit {
     getUserInfo(sessionId: string): Promise<Record<string, unknown> | null>;
     getCookieOptions(): Record<string, unknown>;
     getCookieName(): string;
+    getCsrfCookieName(): string;
+    getCsrfCookieOptions(): Record<string, unknown>;
+    generateCsrfToken(): string;
+    validateCsrf(headerValue: string | undefined, cookieValue: string | undefined): boolean;
     private saveSession;
     private toPublicKeycloakUrl;
     private getCallbackUrl;

package/dist/bff.service.js

@@ -16,6 +16,7 @@ exports.BffService = void 0;
 const common_1 = require("@nestjs/common");
 const openid_client_1 = require("openid-client");
 const uuid_1 = require("uuid");
+const crypto_1 = require("crypto");
 const core_1 = require("@quanticjs/core");
 const interfaces_1 = require("./interfaces");
 function extractRealmRoles(accessToken) {
@@ -38,12 +39,14 @@ let BffService = class BffService {
     sessionTtl;
     sessionPrefix;
     cookieName;
+    csrfCookieName;
     constructor(options, redis) {
         this.options = options;
         this.redis = redis;
         this.sessionTtl = options.session?.ttlSeconds ?? 7 * 24 * 3600;
         this.sessionPrefix = options.session?.prefix ?? 'session:';
-        this.cookieName = options.session?.cookieName ?? 'sid';
+        this.cookieName = options.session?.cookieName ?? '__Host-sid';
+        this.csrfCookieName = options.csrf?.cookieName ?? '__Host-csrf';
     }
     async onModuleInit() {
         const { keycloak } = this.options;
@@ -166,7 +169,7 @@ let BffService = class BffService {
         return {
             httpOnly: true,
             secure: process.env.NODE_ENV === 'production',
-            sameSite: 'lax',
+            sameSite: 'strict',
             path: '/',
             maxAge: this.sessionTtl * 1000,
         };
@@ -174,6 +177,24 @@ let BffService = class BffService {
     getCookieName() {
         return this.cookieName;
     }
+    getCsrfCookieName() {
+        return this.csrfCookieName;
+    }
+    getCsrfCookieOptions() {
+        return {
+            httpOnly: false,
+            secure: process.env.NODE_ENV === 'production',
+            sameSite: 'strict',
+            path: '/',
+            maxAge: this.sessionTtl * 1000,
+        };
+    }
+    generateCsrfToken() {
+        return (0, crypto_1.randomBytes)(32).toString('base64url');
+    }
+    validateCsrf(headerValue, cookieValue) {
+        return !!headerValue && !!cookieValue && headerValue === cookieValue;
+    }
     async saveSession(sessionId, data) {
         if (!this.redis)
             throw new Error('Redis not available');

package/dist/interfaces.d.ts

@@ -11,6 +11,9 @@ export interface BffModuleOptions {
         cookieName?: string;
         prefix?: string;
     };
+    csrf?: {
+        cookieName?: string;
+    };
     publicUrl: string;
     callbackPath?: string;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quanticjs/auth-web-bff",
-  "version": "5.1.0",
+  "version": "5.3.0",
   "description": "BFF authentication module — Keycloak OIDC, Redis sessions, httpOnly cookies",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -9,7 +9,7 @@
     "clean": "rm -rf dist"
   },
   "dependencies": {
-    "@quanticjs/core": "^5.1.0"
+    "@quanticjs/core": "^5.3.0"
   },
   "peerDependencies": {
     "@nestjs/common": "^10.0.0 || ^11.0.0",