Fixed Security Issue

Author: Advayp

server/package.json

@@ -14,14 +14,18 @@
         "@mikro-orm/migrations": "^4.5.9",
         "@mikro-orm/postgresql": "^4.5.9",
         "argon2": "^0.28.2",
+        "cookie-parser": "^1.4.5",
         "cors": "^2.8.5",
+        "csurf": "^1.11.0",
         "express": "^4.17.1",
         "pg": "^8.7.1",
         "ts-node": "^10.3.0",
         "typescript": "^4.4.3"
     },
     "devDependencies": {
+        "@types/cookie-parser": "^1.4.2",
         "@types/cors": "^2.8.12",
+        "@types/csurf": "^1.11.2",
         "@types/dotenv": "^8.2.0",
         "@types/express": "^4.17.13",
         "@types/express-session": "^1.17.4",

server/src/index.ts

@@ -7,6 +7,7 @@ import { MyContext } from "./types";
 import userRouter from "./routers/user";
 import cors from "cors";
 import session from "express-session";
+import cookieParser from "cookie-parser";
 
 dotenv.config();
 const app = express();
@@ -27,6 +28,7 @@ const main = async () => {
     app.listen(PORT, () => console.log(`Alive on  http://localhost:${PORT}`));
 
     app.use(express.json());
+    app.use(cookieParser());
     app.use(
         session({
             secret: process.env.COOKIE_SECRET ?? "",

server/src/routers/user.ts

@@ -1,13 +1,14 @@
 import express from "express";
 import { Delete, GetAll, GetOne, Login, SignUp, Me } from "../controllers/user";
+import csurf from "csurf";
 
 const router = express.Router();
 
-router.get("/me", Me);
-router.get("/:id", GetOne);
-router.get("/", GetAll);
-router.post("/create", SignUp);
-router.post("/login", Login);
-router.get("/delete/:id", Delete);
+router.get("/me", csurf, Me);
+router.get("/:id", csurf, GetOne);
+router.get("/", csurf, GetAll);
+router.post("/create", csurf, SignUp);
+router.post("/login", csurf, Login);
+router.get("/delete/:id", csurf, Delete);
 
 export default router;