TechQA.

Fastify CSRF does not create a header or cookie and does not check it

447 views Asked by At

I have a frontend in NextJS and a backend in NestJS. I noticed that the token is not checked on the back-end side, nor is any X-CSRF-TOKEN header or cookie created, even though the code is in accordance with the documentation. After researching and asking ChatGPT who said that I should work normally and add headers or create a cookie file, I decided to write here. Anyone know why the token isn't being created? I guess it's not due to a bug in the @fastify/csrf-protection types? Also, there is no error and also when there is no token, it normally loads routes which should not be the case and without the token you should not be able to access the page.

My Code:

import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import { ConfigService } from '@nestjs/config';
import {
  FastifyAdapter,
  NestFastifyApplication,
} from '@nestjs/platform-fastify';
import { FastifyInstance } from 'fastify';
import fastifyCookie, { CookieSerializeOptions } from '@fastify/cookie';
import fastifyCsrf from '@fastify/csrf-protection';
import { randomBytes } from 'crypto';

async function bootstrap() {
  const app = await NestFactory.create<NestFastifyApplication>(
    AppModule,
    new FastifyAdapter(),
  );
  const fastifyInstance: FastifyInstance = app.getHttpAdapter().getInstance();
  fastifyInstance
    .addHook('onRequest', async (req, res) => {
      req.socket['encrypted'] = process.env.NODE_ENV === 'production';
      res.header('X-Powered-By', 'CyberSecurity');
    })
    .decorateReply('setHeader', function (name: string, value: unknown) {
      this.header(name, value);
    })
    .decorateReply('end', function () {
      this.send('');
    });
  const configService = app.get(ConfigService);
  const port = configService.get<string>('PORT', '');

  // Throttler - Protection
  app.enableCors({
    origin: '*',
    methods: 'GET, HEAD, PUT, PATCH, POST, DELETE',
    allowedHeaders: 'Content-Type, Authorization',
    credentials: true,
  });

  // XCSRF - Protection
  await app.register(fastifyCookie, {
    secret: randomBytes(32).toString('base64'),
  });
  await app.register(fastifyCsrf, {
    sessionPlugin: '@fastify/cookie',
    cookieKey: 'csrf-token',
    cookie: (cookieOptions: CookieSerializeOptions) => ({
      httpOnly: true,
      sameSite: 'strict',
      path: '/',
      secure: true,
      signed: false,
      ...cookieOptions,
    }),
    secret: randomBytes(32).toString('base64'),
  } as any);

  await app.listen(port);
}
bootstrap();

Here I am sending you my versions of packages:

@nestjs v9.4.0
@nestjs/platform-fastify v9.4.0
@fastify/cookie v8.3.0
@fastify/csrf-protection v6.3.0
nestjs csrf fastify nestjs-fastify fastify-cookie
Original Q&A
0

There are 0 answers

Related Questions in NESTJS

Related Questions in CSRF

Related Questions in FASTIFY

Related Questions in NESTJS-FASTIFY

Related Questions in FASTIFY-COOKIE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions