I want to implement CSRF into my Firebase Functions and because I am using Cookies to send and receive data from to my cloud functions.
As I can understand from here also I can see that __session cookie is only accepted cookie from here. So that, csurf package with implementation of cloud function like;
const csrf = require("csurf");
const admin = require("firebase-admin");
const functions = require('firebase-functions');
admin.initializeApp(functions.config().firebase);
const csrfMiddleware = csrf({ cookie: true });
app.use(csrfMiddleware);
app.all("*", (req, res, next) => {
res.cookie("XSRF-TOKEN", req.csrfToken());
next();
});
wont work. But I could not find any other option right now.
So my implementation on cloud function side, login.js
firebase.auth().signInWithEmailAndPassword(email, password).then(response => {
let user = response.user;
let payload = {}
try {
let accessToken = user.xa;
let refreshToken = user.refreshToken;
res.cookie('__session', accessToken, {
httpOnly: true,
expires: new Date(Date.now() + 24 * 3600 * 1000),
maxAge: 24 * 3600 * 1000,
secure: true,
sameSite: "None"
})
res.cookie('refresh_token', refreshToken, {
httpOnly: true,
expires: new Date(Date.now() + 24 * 3600 * 1000),
maxAge: 24 * 3600 * 1000,
secure: true,
sameSite: "None"
})
// other payloads
res.status(200).send(JSON.stringify(payload))
}).catch(err => {
return res.status(401).send(err.message)
})
and validation side validator.js
if(req.cookies) {
const idToken = req.cookies.__session;
const verifiedToken = await admin.auth().verifyIdToken(idToken);
next();
}
so question is;
how to implement csrf middleware in firebase cloud functions? (P.S I am using firebase hosting to serve my frontend application).
