Merge pull request #1 from dnanexus/fix/security-scan

Fix/security scan

package.json

@@ -18,6 +18,7 @@
     "express": "^4.19.2",
     "express-session": "^1.18.0",
     "jose": "^5.6.2",
-    "openid-client": "^5.6.5"    
+    "lusca": "^1.7.0",
+    "openid-client": "^5.6.5"
   }
 }

src/app.js

@@ -1,24 +1,30 @@
 const express = require('express');
 const session = require('express-session');
+const { csrf } = require('lusca');
+const { randomUUID }  = require('crypto');
+const { URL } = require('url');
 const bodyParser = require('body-parser');
 const config = require('./config/config');
 const routes = require('./routes');
 const errorHandler = require('./errorHandler');
-const { randomUUID }  = require('crypto');
+
+const callbackProtocol = new URL(config.oidc.redirect_url).protocol;
+
 const app = express();
 
 app.use(session({
   secret: randomUUID(),
+  cookie: { maxAge: 60000, secure: callbackProtocol === 'https:'},
   resave: false,
   saveUninitialized: true
 }));
 
 app.use(bodyParser.urlencoded({ extended: true }));
+app.use(csrf());
 
 app.use('/', routes);
 app.use(errorHandler);
 
-
 app.listen(config.port, () => {
   console.log(`App listening at http://localhost:${config.port}`);
 });

src/controllers/homeController.js

@@ -2,7 +2,7 @@ const config = require('../config/config');
 
 function home (req, res) {
   const scopes = config.oidc.scopes.split(' ');
-
+  
   const scopeCheckboxes = scopes.map(scope => 
     `<label>
       <input type="checkbox" name="scope" value="${scope}">${scope}
@@ -11,10 +11,11 @@ function home (req, res) {
 
   res.send (
   `<h1>Welcome</h1>
-  <form action="/login" method="post">
+  <form action="/login" method="post">    
     <p>Select scopes for the authentication:</p>
-    ${scopeCheckboxes}
+    ${scopeCheckboxes}    
     <p>
+    <input type="hidden" name="_csrf" value="${req.csrfToken()}">
     <button type="submit">Log in with DNAnexus</button>
     </p>
   </form>`);