fix: wip

2025-11-20 03:32:14 +10:00 · 2025-02-12 18:39:00 +11:00
parent 15922d447b
commit 4c57095ee1
11 changed files with 72 additions and 231 deletions
--- a/packages/auth/server/routes/email-password.ts
+++ b/packages/auth/server/routes/email-password.ts
@ -25,6 +25,7 @@ import { prisma } from '@documenso/prisma';
 import { UserSecurityAuditLogType } from '@documenso/prisma/client';

 import { AuthenticationErrorCode } from '../lib/errors/error-codes';
+import { getCsrfCookie } from '../lib/session/session-cookies';
 import { onAuthorize } from '../lib/utils/authorizer';
 import { getRequiredSession, getSession } from '../lib/utils/get-session';
 import type { HonoAuthContext } from '../types/context';
@ -45,7 +46,16 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
  .post('/authorize', sValidator('json', ZSignInSchema), async (c) => {
    const requestMetadata = c.get('requestMetadata');

-    const { email, password, totpCode, backupCode } = c.req.valid('json');
+    const { email, password, totpCode, backupCode, csrfToken } = c.req.valid('json');
+
+    const csrfCookieToken = await getCsrfCookie(c);
+
+    // Todo: Add logging here.
+    if (csrfToken !== csrfCookieToken || !csrfCookieToken) {
+      throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+        message: 'Invalid CSRF token',
+      });
+    }

    const user = await prisma.user.findFirst({
      where: {