From 6ae5348e2e8fd54d1aa7e8ff6bc6d528ad21e096 Mon Sep 17 00:00:00 2001
From: Julien Oculi <xdrz.jot.sr@gmail.com>
Date: Thu, 13 Jun 2024 12:25:30 +0200
Subject: [PATCH] feat(api): :lock: check csrf token for all non get request

---
 routes/api/_middleware.ts | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 routes/api/_middleware.ts

diff --git a/routes/api/_middleware.ts b/routes/api/_middleware.ts
new file mode 100644
index 0000000..38dec15
--- /dev/null
+++ b/routes/api/_middleware.ts
@@ -0,0 +1,17 @@
+import { FreshContext } from '$fresh/server.ts'
+import { SessionStore } from '../../src/session/mod.ts'
+import { respondApi } from '../../src/utils.ts'
+
+export function handler(request: Request, ctx: FreshContext) {
+	// Check CSRF token
+    if (['POST', 'PATCH', 'PUT', 'DELETE', 'OPTIONS'].includes(request.method)) {
+        const session = SessionStore.getFromRequest(request)
+        const csrf = session?.get('_csrf')
+
+        if (csrf === undefined || request.headers.get('X-CSRF-TOKEN') !== csrf) {
+            return respondApi('error', new Error('invalid csrf token'), 401)
+        }
+    }
+
+    return ctx.next()
+}