From 8b0f33e9ff1384b63d01d6e7f9d72ac51ea7f4fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?sullayang=28=E6=9D=A8=E9=87=91=E4=BC=9F=29?=
 <sullayang@futunn.com>
Date: Thu, 4 Jan 2024 11:23:27 +0800
Subject: [PATCH] feat: CSRF cookies allow the use of signatures.

---
 app/extend/context.js                         |  4 ++--
 config/config.default.js                      |  4 ++++
 test/csrf_cookieDomain.test.js                | 20 +++++++++++++++++++
 .../app/controller/home.js                    |  9 +++++++++
 .../csrf-cookieOptions-signed/app/router.js   |  5 +++++
 .../config/config.default.js                  | 11 ++++++++++
 .../csrf-cookieOptions-signed/package.json    |  3 +++
 7 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 test/fixtures/apps/csrf-cookieOptions-signed/app/controller/home.js
 create mode 100644 test/fixtures/apps/csrf-cookieOptions-signed/app/router.js
 create mode 100644 test/fixtures/apps/csrf-cookieOptions-signed/config/config.default.js
 create mode 100644 test/fixtures/apps/csrf-cookieOptions-signed/package.json

diff --git a/app/extend/context.js b/app/extend/context.js
index d687d94..a3f7520 100644
--- a/app/extend/context.js
+++ b/app/extend/context.js
@@ -82,7 +82,7 @@ module.exports = {
    */
   get [CSRF_SECRET]() {
     if (this[_CSRF_SECRET]) return this[_CSRF_SECRET];
-    let { useSession, cookieName, sessionName } = this.app.config.security.csrf;
+    let { useSession, cookieName, sessionName, cookieOptions = {} } = this.app.config.security.csrf;
     // get secret from session or cookie
     if (useSession) {
       this[_CSRF_SECRET] = this.session[sessionName] || '';
@@ -90,7 +90,7 @@ module.exports = {
       // cookieName support array. so we can change csrf cookie name smoothly
       if (!Array.isArray(cookieName)) cookieName = [ cookieName ];
       for (const name of cookieName) {
-        this[_CSRF_SECRET] = this.cookies.get(name, { signed: false }) || '';
+        this[_CSRF_SECRET] = this.cookies.get(name, { signed: cookieOptions.signed || false }) || '';
         if (this[_CSRF_SECRET]) break;
       }
     }
diff --git a/config/config.default.js b/config/config.default.js
index 9b7fa8e..41938f0 100644
--- a/config/config.default.js
+++ b/config/config.default.js
@@ -50,6 +50,10 @@ module.exports = () => {
       refererWhiteList: [
         // 'eggjs.org'
       ],
+      // csrf token's cookie options
+      cookieOptions: {
+        signed: false,
+      },
     },
 
     xframe: {
diff --git a/test/csrf_cookieDomain.test.js b/test/csrf_cookieDomain.test.js
index 117a085..5c95af8 100644
--- a/test/csrf_cookieDomain.test.js
+++ b/test/csrf_cookieDomain.test.js
@@ -64,4 +64,24 @@ describe('test/csrf_cookieDomain.test.js', () => {
         .expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/; httponly/);
     });
   });
+
+  describe('cookieOptions use signed', () => {
+    let app;
+    before(() => {
+      app = mm.app({
+        baseDir: 'apps/csrf-cookieOptions-signed',
+      });
+      return app.ready();
+    });
+    after(() => app.close());
+
+    it('should auto set csrfToken and csrfToken.sig with cookie options on GET request', () => {
+      return app.httpRequest()
+        .get('/hello')
+        .set('Host', 'abc.aaaa.ddd.string.com')
+        .expect('hello csrfToken cookieOptions signed')
+        .expect(200)
+        .expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/,csrfToken\.sig=[\w\-]+; path=\//);
+    });
+  });
 });
diff --git a/test/fixtures/apps/csrf-cookieOptions-signed/app/controller/home.js b/test/fixtures/apps/csrf-cookieOptions-signed/app/controller/home.js
new file mode 100644
index 0000000..37685ab
--- /dev/null
+++ b/test/fixtures/apps/csrf-cookieOptions-signed/app/controller/home.js
@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = app => {
+  return class Home extends app.Controller {
+    * index() {
+      this.ctx.body = 'hello csrfToken cookieOptions signed';
+    }
+  };
+};
diff --git a/test/fixtures/apps/csrf-cookieOptions-signed/app/router.js b/test/fixtures/apps/csrf-cookieOptions-signed/app/router.js
new file mode 100644
index 0000000..9d224b1
--- /dev/null
+++ b/test/fixtures/apps/csrf-cookieOptions-signed/app/router.js
@@ -0,0 +1,5 @@
+'use strict';
+
+module.exports = app => {
+  app.get('/hello', 'home.index');
+};
diff --git a/test/fixtures/apps/csrf-cookieOptions-signed/config/config.default.js b/test/fixtures/apps/csrf-cookieOptions-signed/config/config.default.js
new file mode 100644
index 0000000..e27d3c5
--- /dev/null
+++ b/test/fixtures/apps/csrf-cookieOptions-signed/config/config.default.js
@@ -0,0 +1,11 @@
+'use strict';
+
+exports.keys = 'cookie options';
+
+exports.security = {
+  csrf: {
+    cookieOptions: {
+      signed: true
+    },
+  },
+};
diff --git a/test/fixtures/apps/csrf-cookieOptions-signed/package.json b/test/fixtures/apps/csrf-cookieOptions-signed/package.json
new file mode 100644
index 0000000..75f0a4f
--- /dev/null
+++ b/test/fixtures/apps/csrf-cookieOptions-signed/package.json
@@ -0,0 +1,3 @@
+{
+  "name": "csrf-cookieOptions-signed"
+}