Skip to content

Commit

Permalink
MAP-2010 remove calls to old csrf library as now using csrf-sync (#757)
Browse files Browse the repository at this point in the history 
The call to setUpCsrf() ensures csrf token is available for all endpoints as implemented in the template project.
This includes the unauthenticated endpoints: /removal-requested, /already-removed and /removal-already-requested.
These unathenticated endpoints enable staff to be removed from the 'Staff involved' list via the email prompting them to create a statement.
And even though these endpoints don't specifically set _csrf token in the html, it will not have an advserse affect because the html doesn't include any forms.
  • Loading branch information
@GurnankCheema
GurnankCheema authored Feb 24, 2025
1 parent 3a42539 commit d35503f
Show file tree
Hide file tree
Showing 3 changed files with 1 addition and 16 deletions.
10 changes: 0 additions & 10 deletions server/middleware/csrfMiddleware.ts
View file

This file was deleted.

4 changes: 0 additions & 4 deletions server/routes/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import creatingReportsRoutes from './creatingReports'
import maintainingReportsRoutes from './maintainingReports'
import viewingReportsRoutes from './viewingReports'
import apiRoutes from './api'
import csrf from '../middleware/csrfMiddleware'

import type { Services } from '../services'

Expand All @@ -16,9 +15,6 @@ export default function Index(authenticationMiddleware: Handler, services: Servi
router.use(flash())

router.use(authenticationMiddleware)

router.use(csrf())

router.use(creatingReportsRoutes(services))
router.use(maintainingReportsRoutes(services))
router.use(viewingReportsRoutes(services))
Expand Down
3 changes: 1 addition & 2 deletions server/routes/unauthenticated/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,14 @@ import asyncMiddleware from '../../middleware/asyncMiddleware'

import type { Services } from '../../services'
import RemovalRequest from './requestRemoval'
import csrf from '../../middleware/csrfMiddleware'

export default function UnauthenticatedRoutes(services: Services): Router {
const { reportService, statementService, systemToken } = services

const router = express.Router()

const removalRequest = new RemovalRequest(reportService, statementService, systemToken)
router.get('/request-removal/:statementId', flash(), csrf(), asyncMiddleware(removalRequest.view))
router.get('/request-removal/:statementId', flash(), asyncMiddleware(removalRequest.view))
router.post('/request-removal/:statementId', flash(), asyncMiddleware(removalRequest.submit))

router.get('/removal-requested', removalRequest.viewConfirmation)
Expand Down

0 comments on commit d35503f

Please sign in to comment.