Actually, the main middleware I am looking for is one that implements the CSRF protection. I used these two Express middleware before and they are proven middlewares.
The cookie-parser middleware must be placed before csurf. And what csurf does is the following: Creates a CSRF token and validates an incoming request against that token. This middleware adds a req.csrfToken() function to make a token which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor’s csrf cookie.
I need to protect almost all GraphQL endpoints including login and register.
According to my opinion, this token should be issued when a user requests the index.html (JAM stack, residing somewhere in CDN) for the first time. Now for all subsequent requests, the client sends the CSRF token with all requests.
How can we implement this in Redwood. Kindly tell me. Thanks.
As a side note, Fastify allows us to use the Express middleware. Also, the Express middleware are simply functions.
It’d be great if the Redwood uses these two middleware functions to provide the CSRF functionality out-of-the-box.
I’m not certain we’ve exposed a way to add Fastify plugins, however. But, if your concern is plugins for the GraphQL handler, since this is a lambda function ( that Fastify knows how to handler), I think using Middy as middleware is a reasonable option, see below.
Slight correction: CSRF is only half-done in dbAuth—I couldn’t figure out where to add arbitrary headers (like a csrf-token header) to every GraphQL request, including those for currentUser. There’s an open issue here: https://github.com/redwoodjs/redwood/issues/3075
Okay fine. Just to make sure, Fastify is used when we deploy an app on AWS. And for this purpose, you wrote the following. Am I right?
Storing a CSRF token in the db means that we need to hit the db everytime a resolver is executed. The CSRF protection can be implemented in a stateless manner too. As stated in the following link, there is a double submit cookie pattern for the same.
The next-auth also uses the same method. It is stated in this Readme
As stated above, CSRF protection is not actually implemented in dbAuth yet. But, even when it is, CSRF tokens will not be stored in the database, they’re implemented as request headers combined with a token encrypted into your auth session cookie.
CSRF in dbAuth (database) made me assume that they are getting stored in db. If possible, use the csurf and cookie-parser modules to implement it. These modules further use several other modules to make CSRF work perfectly.