import { NextRequest, NextResponse } from 'next/server'; import { cookies } from 'next/headers'; import crypto from 'crypto'; const CSRF_COOKIE_NAME = 'csrf_token'; const CSRF_HEADER_NAME = 'x-csrf-token'; export async function generateCsrfToken() { const token = crypto.randomBytes(32).toString('hex'); const cookieStore = await cookies(); cookieStore.set(CSRF_COOKIE_NAME, token, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax', path: '/', }); return token; } export async function verifyCsrfToken(request: NextRequest) { const cookieStore = await cookies(); const cookieToken = cookieStore.get(CSRF_COOKIE_NAME)?.value; const headerToken = request.headers.get(CSRF_HEADER_NAME); if (!cookieToken || !headerToken || cookieToken !== headerToken) { return false; } return true; } /** * Basic Origin check as an additional layer of defense */ export function verifyOrigin(request: NextRequest) { const origin = request.headers.get('origin'); const host = request.headers.get('host'); if (!origin || !host) return false; // Remove protocol from origin for comparison if host doesn't have it const originHost = origin.replace(/^https?:\/\//, ''); return originHost === host || originHost.startsWith(host + ':'); }