feat: generate and share csrf token on error as well

thetutlage · thetutlage · commit c1531f64ee57 · 2025-03-25T17:40:52.000+05:30
diff --git a/src/guards/csrf.ts b/src/guards/csrf.ts
@@ -197,16 +197,6 @@ export class CsrfGuard {
   async handle(ctx: HttpContext): Promise<void> {
     const csrfSecret = await this.#getCsrfSecret(ctx)
 
-    /**
-     * Validate current request before moving forward
-     */
-    if (this.#shouldValidateRequest(ctx)) {
-      const csrfToken = this.#getCsrfTokenFromRequest(ctx)
-      if (!csrfToken || !this.#tokens.verify(csrfSecret, csrfToken)) {
-        throw new E_BAD_CSRF_TOKEN()
-      }
-    }
-
     /**
      * Add csrf token on the request
      */
@@ -226,6 +216,16 @@ export class CsrfGuard {
      * Share with the view engine
      */
     this.#shareCsrfViewLocals(ctx)
+
+    /**
+     * Validate current request before moving forward
+     */
+    if (this.#shouldValidateRequest(ctx)) {
+      const csrfToken = this.#getCsrfTokenFromRequest(ctx)
+      if (!csrfToken || !this.#tokens.verify(csrfSecret, csrfToken)) {
+        throw new E_BAD_CSRF_TOKEN()
+      }
+    }
   }
 }
 
diff --git a/tests/csrf.spec.ts b/tests/csrf.spec.ts
@@ -328,6 +328,38 @@ test.group('Csrf', () => {
     )
   })
 
+  test('share CSRF token with templates and request even when request fails', async ({
+    assert,
+  }) => {
+    const app = await setup()
+    const ctx = new HttpContextFactory().create()
+    const encrpytion = await app.container.make('encryption')
+    const middleware = await new SessionMiddlewareFactory().create()
+
+    await middleware.handle(ctx, async () => {
+      ctx.route = { pattern: '/' } as any
+      ctx.request.request.method = 'PATCH'
+
+      const secret = await tokens.secret()
+      const csrfToken = tokens.create(secret)
+      ctx.request.updateBody({ _csrf: csrfToken })
+    })
+
+    const csrf = csrfFactory({ enabled: true, enableXsrfCookie: false }, encrpytion, Edge.create())
+    await assert.rejects(async () => csrf(ctx), new E_BAD_CSRF_TOKEN().message)
+    assert.exists(ctx.request.csrfToken)
+
+    assert.equal(
+      await ctx.view.renderRaw('{{ csrfMeta() }}'),
+      `<meta name='csrf-token' content='${ctx.request.csrfToken}'>`
+    )
+
+    assert.equal(
+      await ctx.view.renderRaw('{{ csrfField() }}'),
+      `<input type='hidden' name='_csrf' value='${ctx.request.csrfToken}'>`
+    )
+  })
+
   test('generate csrf token and share as a cookie when enableXsrfCookie is true', async ({
     assert,
   }) => {
