chore: initial deploy bundle

2026-04-20 17:39:38 +03:00
parent 5f7c098f0b
commit 9329b76e9b
16 changed files with 386 additions and 303 deletions
--- a/apps/api/src/middleware/csrf.ts
+++ b/apps/api/src/middleware/csrf.ts
@@ -0,0 +1,36 @@
+import { Request, Response, NextFunction } from 'express';
+import { verifyCsrfToken, isCsrfConfigured } from '../services/csrf.service';
+import { logger } from '../lib/logger';
+
+const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
+
+export function csrfMiddleware(req: Request, res: Response, next: NextFunction): void {
+  if (SAFE_METHODS.has(req.method)) {
+    next();
+    return;
+  }
+
+  // If CSRF is not configured (Vault down при старте) — пропускаем, чтобы не блокировать сервис.
+  // В логах будет warning — легко заметить.
+  if (!isCsrfConfigured()) {
+    logger.warn('CSRF check skipped: secret not loaded');
+    next();
+    return;
+  }
+
+  const token = req.cookies?.csrf_token || req.headers['x-csrf-token'];
+
+  if (!token || typeof token !== 'string') {
+    res.status(403).json({ success: false, error: 'CSRF token missing' });
+    return;
+  }
+
+  const result = verifyCsrfToken(token);
+  if (!result.valid) {
+    logger.warn(`CSRF validation failed: ${result.reason}`);
+    res.status(403).json({ success: false, error: 'Invalid CSRF token' });
+    return;
+  }
+
+  next();
+}