Harden browser password and API request handling#228
Merged
Conversation
Keep private-room passwords out of persistent browser storage, enforce CSRF tokens for unsafe requests, and rate-limit the API and social routers to close the targeted CodeQL findings.
|
|
||
| beforeEach((done) => { | ||
| const app = express(); | ||
| app.use(session({ resave: false, saveUninitialized: false, secret: 'test-secret' })); |
Fetch a session-bound token before Cypress issues state-changing API or authentication requests.
coder13
marked this pull request as ready for review
July 14, 2026 02:20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope\n\nTargets the password persistence, API/social rate-limit, and CSRF findings from #226.\n\n- replaces persistent private-room password storage with tab-memory-only storage and removes legacy browser keys;\n- adds
express-rate-limit8.5.2 to the API and every social router;\n- adds session-bound CSRF token verification withlusca1.7.0 (the middleware recognized by this repository’s CodeQL version), automatic client token handling, and POST-only logout;\n- includes focused regression coverage for password migration, CSRF enforcement, request limiting, and client token propagation.\n\nluscais a CodeQL-compatible legacy dependency, not a maintained-library endorsement. #227 tracks reassessment and migration to a maintained CSRF library once CodeQL support permits it. The legacy logout redirect is removed as a necessary part of the CSRF POST flow. Remaining CodeQL categories are tracked in #227.\n\n## Verification\n\n-yarn workspace letscube-server test --runInBand(38 suites, 205 tests)\n-yarn workspace letscube-client test --runInBand --runTestsByPath src/lib/fetch.test.js src/store/room/roomPasswordStorage.test.js src/store/middlewares/rooms.test.js(3 suites, 30 tests)\n-yarn workspace letscube-server lint(passes with 4 existing warnings)\n-yarn workspace letscube-client lint\n-yarn install --frozen-lockfile\n\nRelated production rollout: #176.