feat: add conditional CSRF protection based on user agents

Author: jescalada

src/service/index.ts

@@ -55,19 +55,41 @@ async function createApp(proxy: Proxy): Promise<Express> {
     }),
   );
   if (config.getCSRFProtection() && process.env.NODE_ENV !== 'test') {
-    app.use(
-      lusca({
-        csrf: {
-          cookie: { name: 'csrf' },
-        },
-        hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
-        nosniff: true,
-        referrerPolicy: 'same-origin',
-        xframe: 'SAMEORIGIN',
-        xssProtection: true,
-      }),
-    );
+    const luscaBase = lusca({
+      hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
+      nosniff: true,
+      referrerPolicy: 'same-origin',
+      xframe: 'SAMEORIGIN',
+      xssProtection: true,
+    });
+    const luscaCsrf = lusca({
+      csrf: {
+        cookie: { name: 'csrf' },
+      },
+    });
+
+    app.use((req, res, next) => {
+      const userAgent = req.headers['user-agent'] || '';
+      const origin = req.headers['origin'] || '';
+      const referer = req.headers['referer'] || '';
+      const isCli = req.headers['x-client-type'] === 'cli' || userAgent.includes('git-proxy-cli');
+      console.log('origin, referer, isCli', origin, referer, isCli);
+      console.log('userAgent', userAgent);
+      const browserAgentLookups = ['Mozilla', 'AppleWebKit', 'Chrome', 'Safari', 'Firefox', 'Edge'];
+      const isBrowserRequest = browserAgentLookups.some((lookup) => userAgent.includes(lookup));
+      if (isCli || (!origin && !referer && !isBrowserRequest)) {
+        console.log('isCli or no origin or referer or browser request');
+        return luscaBase(req, res, next);
+      }
+
+      luscaBase(req, res, (err) => {
+        console.log('is browser request');
+        if (err) return next(err);
+        luscaCsrf(req, res, next);
+      });
+    });
   }
+
   app.use(passport.initialize());
   app.use(passport.session());
   app.use(express.json());