fix(sveltekit): remmove redundant csrf check (#10963)

ndom91 · ThangHuuVu · web-flow · commit 656f1ec57a7e · 2024-06-02T11:34:07.000+07:00
* fix: rm unnecessary csrfCheck in sveltekit

* fix: rm unnecessary csrf check in webauthn signIn()

* fix: drop more unnecessary skipCSRFCheck calls

---------

Co-authored-by: Thang Vu &lt;hi@thvu.dev&gt;
diff --git a/packages/frameworks-sveltekit/src/lib/actions.ts b/packages/frameworks-sveltekit/src/lib/actions.ts
@@ -3,7 +3,7 @@ import type { RequestEvent } from "@sveltejs/kit"
 import { parse } from "set-cookie-parser"
 import { env } from "$env/dynamic/private"
 
-import { Auth, createActionURL, raw, skipCSRFCheck } from "@auth/core"
+import { Auth, createActionURL, raw } from "@auth/core"
 import type { SvelteKitAuthConfig } from "./types"
 import { setEnvDefaults } from "./env"
 
@@ -65,7 +65,7 @@ export async function signIn(
   headers.set("Content-Type", "application/x-www-form-urlencoded")
   const body = new URLSearchParams({ ...rest, callbackUrl })
   const req = new Request(url, { method: "POST", headers, body })
-  const res = await Auth(req, { ...config, raw, skipCSRFCheck })
+  const res = await Auth(req, { ...config, raw })
 
   for (const c of res?.cookies ?? []) {
     event.cookies.set(c.name, c.value, { path: "/", ...c.options })
@@ -103,7 +103,7 @@ export async function signOut(
   const body = new URLSearchParams({ callbackUrl })
   const req = new Request(url, { method: "POST", headers, body })
 
-  const res = await Auth(req, { ...config, raw, skipCSRFCheck })
+  const res = await Auth(req, { ...config, raw })
 
   for (const c of res?.cookies ?? [])
     event.cookies.set(c.name, c.value, { path: "/", ...c.options })
diff --git a/packages/frameworks-sveltekit/src/lib/client.ts b/packages/frameworks-sveltekit/src/lib/client.ts
@@ -36,7 +36,6 @@ export type SignInAuthorizationParams =
 /**
  * Client-side method to initiate a signin flow
  * or send the user to the signin page listing all possible providers.
- * Automatically adds the CSRF token to the request.
  *
  * [Documentation](https://authjs.dev/reference/sveltekit/client#signin)
  */
@@ -65,10 +64,6 @@ export async function signIn<
 
   const _signInUrl = `${signInUrl}?${new URLSearchParams(authorizationParams)}`
 
-  // TODO: Remove this since SvelteKit offers the CSRF protection via origin check
-  const csrfTokenResponse = await fetch(`${basePath}/auth/csrf`)
-  const { csrfToken } = await csrfTokenResponse.json()
-
   const res = await fetch(_signInUrl, {
     method: "post",
     headers: {
@@ -78,7 +73,6 @@ export async function signIn<
     // @ts-ignore
     body: new URLSearchParams({
       ...options,
-      csrfToken,
       callbackUrl,
     }),
   })
@@ -98,24 +92,19 @@ export async function signIn<
 
 /**
  * Signs the user out, by removing the session cookie.
- * Automatically adds the CSRF token to the request.
  *
  * [Documentation](https://authjs.dev/reference/sveltekit/client#signout)
  */
 export async function signOut(options?: SignOutParams) {
   const { callbackUrl = window.location.href } = options ?? {}
   const basePath = base ?? ""
-  // TODO: Remove this since SvelteKit offers the CSRF protection via origin check
-  const csrfTokenResponse = await fetch(`${basePath}/auth/csrf`)
-  const { csrfToken } = await csrfTokenResponse.json()
   const res = await fetch(`${basePath}/auth/signout`, {
     method: "post",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
       "X-Auth-Return-Redirect": "1",
     },
     body: new URLSearchParams({
-      csrfToken,
       callbackUrl,
     }),
   })
diff --git a/packages/frameworks-sveltekit/src/lib/env.ts b/packages/frameworks-sveltekit/src/lib/env.ts
@@ -1,4 +1,4 @@
-import { setEnvDefaults as coreSetEnvDefaults } from "@auth/core"
+import { setEnvDefaults as coreSetEnvDefaults, skipCSRFCheck } from "@auth/core"
 import { dev, building } from "$app/environment"
 import { base } from "$app/paths"
 import type { SvelteKitAuthConfig } from "./types"
@@ -9,6 +9,7 @@ export function setEnvDefaults(
 ) {
   config.trustHost ??= dev
   config.basePath = `${base}/auth`
+  config.skipCSRFCheck = skipCSRFCheck
   if (building) return
   coreSetEnvDefaults(envObject, config)
 }
diff --git a/packages/frameworks-sveltekit/src/lib/webauthn.ts b/packages/frameworks-sveltekit/src/lib/webauthn.ts
@@ -43,7 +43,6 @@ async function webAuthnOptions(providerId: string, options?: SignInOptions) {
 /**
  * Client-side method to initiate a webauthn signin flow
  * or send the user to the signin page listing all possible providers.
- * Automatically adds the CSRF token to the request.
  *
  * [Documentation](https://authjs.dev/reference/sveltekit/client#signin)
  */
@@ -85,10 +84,6 @@ export async function signIn<
     webAuthnBody.action = action
   }
 
-  // TODO: Remove this since Sveltekit offers the CSRF protection via origin check
-  const csrfTokenResponse = await fetch(`${basePath}/auth/csrf`)
-  const { csrfToken } = await csrfTokenResponse.json()
-
   const res = await fetch(_signInUrl, {
     method: "post",
     headers: {
@@ -98,7 +93,6 @@ export async function signIn<
     // @ts-ignore
     body: new URLSearchParams({
       ...options,
-      csrfToken,
       callbackUrl,
       ...webAuthnBody,
     }),
