From 800aef1942f7fc948fa2064bae29ae62b8eacdb8 Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric@centos1.rack1.local>
Date: Mon, 13 May 2024 20:40:27 -0400
Subject: [PATCH] Implement anti-CSRF for logout

---
 packages/backend/src/routers/logout.js | 5 +++++
 src/initgui.js                         | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/packages/backend/src/routers/logout.js b/packages/backend/src/routers/logout.js
index 771c9ad7c..caadfbe90 100644
--- a/packages/backend/src/routers/logout.js
+++ b/packages/backend/src/routers/logout.js
@@ -29,6 +29,11 @@ router.post('/logout', auth, express.json(), async (req, res, next)=>{
     // check subdomain
     if(require('../helpers').subdomain(req) !== 'api' && require('../helpers').subdomain(req) !== '')
         next();
+    // check anti-csrf token
+    const svc_antiCSRF = req.services.get('anti-csrf');
+    if ( ! svc_antiCSRF.consume_token(req.user.uuid, req.body.anti_csrf) ) {
+        return res.status(400).json({ message: 'incorrect anti-CSRF token' });
+    }
     // delete cookie
     res.clearCookie(config.cookie_name);
     // delete session
diff --git a/src/initgui.js b/src/initgui.js
index c45a427f5..1cfcd517e 100644
--- a/src/initgui.js
+++ b/src/initgui.js
@@ -1981,6 +1981,8 @@ window.initgui = async function(){
 
         // logout
         try{
+            const resp = await fetch(`${window.gui_origin}/get-anticsrf-token`);
+            const { token } = await resp.json();
             await $.ajax({
                 url: window.gui_origin + "/logout",
                 type: 'POST',
@@ -1989,6 +1991,7 @@ window.initgui = async function(){
                 headers: {
                     "Authorization": "Bearer " + window.auth_token
                 },
+                data: JSON.stringify({ anti_csrf: token }),
                 statusCode: {
                     401: function () {
                     },