website/routes/api/_middleware.ts

import { FreshContext } from '$fresh/server.ts'
import { SessionStore } from ':src/session/mod.ts'
import { respondApi } from ':src/utils.ts'

export function handler(request: Request, ctx: FreshContext) {
	// Check CSRF token
	if (['POST', 'PATCH', 'PUT', 'DELETE', 'OPTIONS'].includes(request.method)) {
		const session = SessionStore.getFromRequest(request)
		const csrf = session?.get('_csrf')

		if (csrf === undefined || request.headers.get('X-CSRF-TOKEN') !== csrf) {
			return respondApi('error', new Error('invalid csrf token'), 401)
		}
	}

	return ctx.next()
}
feat(api): :lock: check csrf token for all non get request 2024-06-13 12:25:30 +02:00			`import { FreshContext } from '$fresh/server.ts'`
refactor: :recycle: update import map to simplify local imports paths 2024-07-01 13:11:20 +02:00			`import { SessionStore } from ':src/session/mod.ts'`
			`import { respondApi } from ':src/utils.ts'`
feat(api): :lock: check csrf token for all non get request 2024-06-13 12:25:30 +02:00
			`export function handler(request: Request, ctx: FreshContext) {`
			`// Check CSRF token`
style: :art: deno fmt 2024-06-13 12:43:29 +02:00			`if (['POST', 'PATCH', 'PUT', 'DELETE', 'OPTIONS'].includes(request.method)) {`
			`const session = SessionStore.getFromRequest(request)`
			`const csrf = session?.get('_csrf')`
feat(api): :lock: check csrf token for all non get request 2024-06-13 12:25:30 +02:00
style: :art: deno fmt 2024-06-13 12:43:29 +02:00			`if (csrf === undefined \|\| request.headers.get('X-CSRF-TOKEN') !== csrf) {`
			`return respondApi('error', new Error('invalid csrf token'), 401)`
			`}`
			`}`
feat(api): :lock: check csrf token for all non get request 2024-06-13 12:25:30 +02:00
style: :art: deno fmt 2024-06-13 12:43:29 +02:00			`return ctx.next()`
feat(api): :lock: check csrf token for all non get request 2024-06-13 12:25:30 +02:00			`}`