fix: share correct app key with csrf middleware

adonisjs · Mar 6, 2020 · a2bc5eb · a2bc5eb
1 parent f90edb9
commit a2bc5eb
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/providers/ShieldProvider.ts b/providers/ShieldProvider.ts
@@ -16,7 +16,8 @@ export default class ShieldProvider {
     this.container.singleton('Adonis/Addons/ShieldMiddleware', () => {
       const Config = this.container.use('Adonis/Core/Config')
       const shieldConfig = Config.get('shield', {})
-      return new (require('../src/ShieldMiddleware').ShieldMiddleware)(shieldConfig)
+      const appKey = Config.get('app.appKey')
+      return new (require('../src/ShieldMiddleware').ShieldMiddleware)(shieldConfig, appKey)
     })
   }
 

diff --git a/src/ShieldMiddleware/index.ts b/src/ShieldMiddleware/index.ts
@@ -21,7 +21,7 @@ export class ShieldMiddleware {
    * Actions to be performed
    */
   private actions = [
-    shield.csrfFactory(this.config.csrf || {}, ''),
+    shield.csrfFactory(this.config.csrf || {}, this.appKey),
     shield.cspFactory(this.config.csp || {}),
     shield.dnsPrefetchFactory(this.config.dnsPrefetch || {}),
     shield.frameGuardFactory(this.config.xFrame || {}),
@@ -31,7 +31,7 @@ export class ShieldMiddleware {
     shield.xssFactory(this.config.xss || {}),
   ]
 
-  constructor (private config: ShieldConfig) {
+  constructor (private config: ShieldConfig, private appKey: string) {
   }
 
   /**

diff --git a/src/csrf.ts b/src/csrf.ts
@@ -43,7 +43,7 @@ export class Csrf {
    */
   private secretSessionKey = 'csrf-secret'
 
-  constructor (private options: CsrfOptions, private applicationKey: string) {
+  constructor (private options: CsrfOptions, private appKey: string) {
   }
 
   /**
@@ -92,7 +92,7 @@ export class Csrf {
     }
 
     const encryptedToken = request.header('x-xsrf-token')
-    const unpackedToken = encryptedToken ? unpack(encryptedToken, this.applicationKey) : null
+    const unpackedToken = encryptedToken ? unpack(decodeURIComponent(encryptedToken), this.appKey) : null
     return unpackedToken && unpackedToken.signed ? unpackedToken.value : null
   }
 
@@ -183,11 +183,11 @@ export class Csrf {
  * A factory function that returns a new function to enforce CSRF
  * protection
  */
-export function csrfFactory (options: CsrfOptions, applicationKey: string) {
+export function csrfFactory (options: CsrfOptions, appKey: string) {
   if (!options.enabled) {
     return noop
   }
 
-  const csrfMiddleware = new Csrf(options, applicationKey)
+  const csrfMiddleware = new Csrf(options, appKey)
   return csrfMiddleware.handle.bind(csrfMiddleware)
 }