All checks were successful
Build and Push App / build (push) Successful in 5m59s
48 lines
1.3 KiB
TypeScript
48 lines
1.3 KiB
TypeScript
import { NextRequest, NextResponse } from 'next/server';
|
|
import { cookies } from 'next/headers';
|
|
import crypto from 'crypto';
|
|
|
|
const CSRF_COOKIE_NAME = 'csrf_token';
|
|
const CSRF_HEADER_NAME = 'x-csrf-token';
|
|
|
|
export async function generateCsrfToken() {
|
|
const token = crypto.randomBytes(32).toString('hex');
|
|
const cookieStore = await cookies();
|
|
|
|
cookieStore.set(CSRF_COOKIE_NAME, token, {
|
|
httpOnly: true,
|
|
secure: process.env.NODE_ENV === 'production',
|
|
sameSite: 'lax',
|
|
path: '/',
|
|
});
|
|
|
|
return token;
|
|
}
|
|
|
|
export async function verifyCsrfToken(request: NextRequest) {
|
|
const cookieStore = await cookies();
|
|
const cookieToken = cookieStore.get(CSRF_COOKIE_NAME)?.value;
|
|
const headerToken = request.headers.get(CSRF_HEADER_NAME);
|
|
|
|
if (!cookieToken || !headerToken || cookieToken !== headerToken) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Basic Origin check as an additional layer of defense
|
|
*/
|
|
export function verifyOrigin(request: NextRequest) {
|
|
const origin = request.headers.get('origin');
|
|
const host = request.headers.get('host');
|
|
|
|
if (!origin || !host) return false;
|
|
|
|
// Remove protocol from origin for comparison if host doesn't have it
|
|
const originHost = origin.replace(/^https?:\/\//, '');
|
|
|
|
return originHost === host || originHost.startsWith(host + ':');
|
|
}
|