feat(backend): add cookie parser and CSRF protection middleware

2025-05-17 10:33:38 +02:00 · 2025-05-17 10:33:38 +02:00 · 13f372390b
commit 13f372390b
parent 4028cebb63
1 changed files with 29 additions and 1 deletions
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@ -2,6 +2,8 @@ import { NestFactory } from '@nestjs/core';
 import { ValidationPipe } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger';
+import * as cookieParser from 'cookie-parser';
+import * as csurf from 'csurf';
 import { AppModule } from './app.module';

 async function bootstrap() {
@ -17,8 +19,34 @@ async function bootstrap() {
    }),
  );

-  // Configuration CORS selon l'environnement
+  // Configure cookie parser
+  app.use(cookieParser());
+
+  // Get environment configuration
  const environment = configService.get<string>('NODE_ENV', 'development');
+
+  // Configure CSRF protection
+  if (environment !== 'test') { // Skip CSRF in test environment
+    app.use(csurf({ 
+      cookie: {
+        httpOnly: true,
+        sameSite: 'strict',
+        secure: environment === 'production'
+      }
+    }));
+
+    // Add CSRF token to response
+    app.use((req, res, next) => {
+      res.cookie('XSRF-TOKEN', req.csrfToken?.() || '', {
+        httpOnly: false, // Client-side JavaScript needs to read this
+        sameSite: 'strict',
+        secure: environment === 'production'
+      });
+      next();
+    });
+  }
+
+  // Configuration CORS selon l'environnement
  const frontendUrl = configService.get<string>('FRONTEND_URL', 'http://localhost:3001');

  if (environment === 'development') {