fix/DF-469 forbidden error logs (#241)

* Remove duplicate crumb from context

* Remove safeGenerateCrumb from context

* Fix tests that rely on enforceCsrf being false

* Default enforceCsrf: true for all environments

* Fix component-state-errors.test.js

Author: davidjamesstone

src/config/index.ts

@@ -55,7 +55,7 @@ export const config = convict({
   },
   enforceCsrf: {
     format: Boolean,
-    default: isProduction,
+    default: true,
     env: 'ENFORCE_CSRF'
   },
 

src/server/plugins/engine/helpers.test.ts

@@ -18,7 +18,6 @@ import {
   getExponentialBackoffDelay,
   getPageHref,
   proceed,
-  safeGenerateCrumb,
   setPageTitles,
   type GlobalScope
 } from '~/src/server/plugins/engine/helpers.js'
@@ -36,7 +35,6 @@ import {
 import {
   FormAction,
   FormStatus,
-  type FormRequest,
   type FormResponseToolkit
 } from '~/src/server/routes/types.js'
 import definition from '~/test/form/definitions/basic.js'
@@ -493,78 +491,6 @@ describe('Helpers', () => {
     })
   })
 
-  describe('safeGenerateCrumb', () => {
-    it('should return undefined when request.state is missing (malformed request)', () => {
-      const malformedRequest = {
-        server: {
-          plugins: {
-            crumb: {
-              generate: jest.fn()
-            }
-          }
-        },
-        plugins: {},
-        route: { settings: { plugins: {} } },
-        path: '/test',
-        url: { search: '' }
-        // state intentionally omitted
-      } as unknown as FormRequest
-
-      const crumbToken = safeGenerateCrumb(malformedRequest)
-      expect(crumbToken).toBeUndefined()
-      expect(
-        malformedRequest.server.plugins.crumb.generate
-      ).not.toHaveBeenCalled()
-    })
-
-    it('should return undefined if crumb is disabled in route settings', () => {
-      const requestWithDisabledCrumb = {
-        server: {
-          plugins: {
-            crumb: {
-              generate: jest.fn().mockReturnValue('test-token')
-            }
-          }
-        },
-        plugins: {},
-        route: { settings: { plugins: { crumb: false } } },
-        path: '/test',
-        url: { search: '' },
-        state: {}
-      } as unknown as FormRequest
-
-      const crumbToken = safeGenerateCrumb(requestWithDisabledCrumb)
-      expect(crumbToken).toBeUndefined()
-      expect(
-        requestWithDisabledCrumb.server.plugins.crumb.generate
-      ).not.toHaveBeenCalled()
-    })
-
-    it('should generate crumb when state exists and crumb plugin is available', () => {
-      const mockCrumb = 'generated-crumb-value'
-      const validRequest = {
-        server: {
-          plugins: {
-            crumb: {
-              generate: jest.fn().mockReturnValue(mockCrumb)
-            }
-          }
-        },
-        plugins: {},
-        route: { settings: { plugins: {} } },
-        path: '/test',
-        url: { search: '' },
-        state: {}
-      } as unknown as FormRequest
-
-      const crumbToken = safeGenerateCrumb(validRequest)
-      expect(crumbToken).toBe(mockCrumb)
-      expect(validRequest.server.plugins.crumb.generate).toHaveBeenCalledWith(
-        validRequest
-      )
-    })
-  })
-
   describe('getExponentialBackoffDelay', () => {
     it.each([
       { depth: 1, expected: 2000 },

src/server/plugins/engine/helpers.ts

@@ -25,7 +25,6 @@ import { type FormModel } from '~/src/server/plugins/engine/models/FormModel.js'
 import { type PageControllerClass } from '~/src/server/plugins/engine/pageControllers/helpers/pages.js'
 import { stripParam } from '~/src/server/plugins/engine/pageControllers/helpers/state.js'
 import {
-  type AnyFormRequest,
   type FormContext,
   type FormContextRequest,
   type FormSubmissionError
@@ -336,32 +335,6 @@ export function createError(componentName: string, message: string) {
   }
 }
 
-/**
- * A small helper to safely generate a crumb token.
- * Checks that the crumb plugin is available, that crumb
- * is not disabled on the current route, and that cookies/state are present.
- */
-export function safeGenerateCrumb(
-  request: AnyFormRequest | null
-): string | undefined {
-  // no request or no .state
-  if (!request?.state) {
-    return undefined
-  }
-
-  // crumb plugin or its generate method doesn't exist
-  if (!request.server.plugins.crumb.generate) {
-    return undefined
-  }
-
-  // crumb is explicitly disabled for this route
-  if (request.route.settings.plugins?.crumb === false) {
-    return undefined
-  }
-
-  return request.server.plugins.crumb.generate(request)
-}
-
 /**
  * Calculates an exponential backoff delay (in milliseconds) based on the current retry depth,
  * using a base delay of 2000ms (2 seconds) and doubling for each additional depth, while capping the delay at 25,000ms (25 seconds).

src/server/plugins/nunjucks/context.js

@@ -8,8 +8,7 @@ import { config } from '~/src/config/index.js'
 import { createLogger } from '~/src/server/common/helpers/logging/logger.js'
 import {
   checkFormStatus,
-  encodeUrl,
-  safeGenerateCrumb
+  encodeUrl
 } from '~/src/server/plugins/engine/helpers.js'
 
 const logger = createLogger()
@@ -51,7 +50,6 @@ export async function context(request) {
     // take consumers props first so we can override it
     ...consumerViewContext,
     baseLayoutPath: pluginStorage.baseLayoutPath,
-    crumb: safeGenerateCrumb(request),
     currentPath: `${request.path}${request.url.search}`,
     previewMode: isPreviewMode ? formState : undefined,
     slug: isResponseOK ? params?.slug : undefined

src/server/plugins/nunjucks/context.test.js

@@ -101,43 +101,6 @@ describe('Nunjucks context', () => {
         malformedRequest.server.plugins.crumb.generate
       ).not.toHaveBeenCalled()
     })
-
-    it('should generate crumb when state exists', async () => {
-      const mockCrumb = 'generated-crumb-value'
-      const validRequest = /** @type {FormRequest} */ (
-        /** @type {unknown} */ ({
-          server: {
-            plugins: {
-              crumb: {
-                generate: jest.fn().mockReturnValue(mockCrumb)
-              },
-              'forms-engine-plugin': {
-                baseLayoutPath: 'randomValue'
-              }
-            }
-          },
-          plugins: {},
-          route: {
-            settings: {
-              plugins: {}
-            }
-          },
-          path: '/test',
-          url: { search: '' },
-          state: {},
-          yar: {
-            flash: jest.fn().mockReturnValue([]),
-            commit: jest.fn()
-          }
-        })
-      )
-
-      const { crumb } = await context(validRequest)
-      expect(crumb).toBe(mockCrumb)
-      expect(validRequest.server.plugins.crumb.generate).toHaveBeenCalledWith(
-        validRequest
-      )
-    })
   })
 })
 

src/server/routes/dummy-api.test.ts

@@ -21,7 +21,9 @@ describe('Dummy API', () => {
 
   beforeAll(async () => {
     MockDate.set('2025-01-01T00:00:00Z')
-    server = await createServer()
+    server = await createServer({
+      enforceCsrf: false
+    })
     await server.initialize()
   })
 

test/condition/checkboxes.test.js

@@ -21,7 +21,8 @@ describe('Checkboxes based conditions', () => {
   beforeAll(async () => {
     server = await createServer({
       formFileName: 'checkboxes.json',
-      formFilePath: resolve(import.meta.dirname, '../form/definitions')
+      formFilePath: resolve(import.meta.dirname, '../form/definitions'),
+      enforceCsrf: false
     })
 
     await server.initialize()

test/condition/radios.test.js

@@ -21,7 +21,8 @@ describe('Radio based conditions', () => {
   beforeAll(async () => {
     server = await createServer({
       formFileName: 'radios.json',
-      formFilePath: resolve(import.meta.dirname, '../form/definitions')
+      formFilePath: resolve(import.meta.dirname, '../form/definitions'),
+      enforceCsrf: false
     })
 
     await server.initialize()

test/condition/text.test.js

@@ -21,7 +21,8 @@ describe('TextField based conditions', () => {
   beforeAll(async () => {
     server = await createServer({
       formFileName: 'text.json',
-      formFilePath: resolve(import.meta.dirname, '../form/definitions')
+      formFilePath: resolve(import.meta.dirname, '../form/definitions'),
+      enforceCsrf: false
     })
 
     await server.initialize()

test/form/component-state-errors.test.js

@@ -53,7 +53,8 @@ describe('Component State Error Tests - File Upload', () => {
   beforeAll(async () => {
     server = await createServer({
       formFileName: 'file-upload-basic.js',
-      formFilePath: join(import.meta.dirname, 'definitions')
+      formFilePath: join(import.meta.dirname, 'definitions'),
+      enforceCsrf: false
     })
 
     await server.initialize()