Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: skip safe methods #167

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: skip safe methods #167

wants to merge 1 commit into from

Conversation

johaven
Copy link

@johaven johaven commented Oct 12, 2024

Checklist

Fix issue: #166

This PR introduce the ability to pass the protected methods as module options

@johaven johaven changed the title fix: skip unsafe methods fix: skip safe methods Oct 12, 2024
@johaven johaven force-pushed the fix-skip-safe-methods branch from cc17dba to b5ec359 Compare October 12, 2024 21:37
Uzlopak
Uzlopak requested changes Oct 12, 2024
View reviewed changes
Copy link
Contributor

@Uzlopak Uzlopak left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dislike this approach. You basically add the check that the method is in the array on every request. But this is not necessary to be done on every request. You could hook onRoute and if the route is a protected route you add csrfProtection as preParsing hook to the routeObject of the onRoute hook.

@johaven
Copy link
Author

johaven commented Oct 12, 2024

@Uzlopak I'm not very familiar with the 'onRoute' hook yet (and I hadn't thought about it :p)

Is the hook triggered after plugins registration ?

@Uzlopak
Copy link
Contributor

Uzlopak commented Oct 12, 2024
edited
Loading

It would be a large text to describe what i mean.

See following code pieces:
https://github.com/fastify/fastify-response-validation/blob/daecd7ce0b352e002da5a05d0dbd33acd85fa4d8/index.js#L35

  1. add a new option like autoProtect for the plugin level and csrfProtect on the route level (shitty name but just to demonstrate) which can be set to true and hook option, which can be a lifecycle hook like onRequest or preParse.
  2. about in line 63 add following code
  fastify.addHook('onRoute', onRoute)

Now we need the onRoute Code which we for simplicity put into the plugin function to access the pluginOPtions opts

  function onRoute (routeOpts) {
    const { hook = 'preValidation' } = opts // <-- pluginOptions
    if (routeOpts.csrfProtect || (opts.autoProtect && opts.protectedMethods.includes(routeOpts.method)) {
      routeOpts[hook] = routeOpts[hook] || []
      routeOpts[hook].push(csrfProtection)
    }
  }

If you know your csrf token is in body, you need to parse it, so you would set the hook to preValidation but if you know the token is in the header, you can already process the request in the onRequest stage, as the headers should be there already, so you would set the hook to onRequest.

And of course validate if hook is a valid lifecycle hook and keep into account that onRequest and preValidation have the arity of 3 but preParsing has the arity of 4. So you could do it like here

This should help you to get atleast a mvp. there are probably some improvements possible to improve the DX.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Uzlopak Uzlopak Uzlopak requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@johaven @Uzlopak