diff --git a/package.json b/package.json index 906615a..59a3043 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@moduletrace/datasquirel", - "version": "3.1.3", + "version": "3.1.4", "description": "Cloud-based SQL data management tool", "main": "index.js", "bin": { diff --git a/users/user-auth.js b/users/user-auth.js index 9fe0863..3a0043e 100644 --- a/users/user-auth.js +++ b/users/user-auth.js @@ -52,13 +52,15 @@ function userAuth({ csrfHeaderName, }) { try { + const finalRequest = req || request; + const finalEncryptionKey = encryptionKey || process.env.DSQL_ENCRYPTION_PASSWORD; const finalEncryptionSalt = encryptionSalt || process.env.DSQL_ENCRYPTION_SALT; const cookies = parseCookies({ - request: request || req, + request: finalRequest, cookieString, }); @@ -129,20 +131,29 @@ function userAuth({ * * @description Grab the payload */ - if ( - level?.match(/deep/i) && - ((csrfHeaderName && - req?.headers[csrfHeaderName] !== userObject.csrf_k && - request?.headers[csrfHeaderName] !== userObject.csrf_k) || - (csrfHeaderIsValue && - !req?.headers[userObject.csrf_k] && - !request?.headers[userObject.csrf_k])) - ) { - return { - success: false, - payload: null, - msg: "CSRF_K mismatch", - }; + if (level?.match(/deep/i) && finalRequest) { + if ( + csrfHeaderName && + finalRequest.headers[csrfHeaderName] !== userObject.csrf_k + ) { + return { + success: false, + payload: null, + msg: "CSRF_K mismatch", + }; + } + + const targetCsrfHeaderKey = Object.keys(finalRequest.headers) + .filter((k) => k.replace(/[^a-zA-Z0-9\-]/g, "")) + .find((k) => k == userObject.csrf_k); + + if (csrfHeaderIsValue && !targetCsrfHeaderKey) { + return { + success: false, + payload: null, + msg: "CSRF_K Header Key mismatch", + }; + } } const payloadCreationDate = Number(userObject.date);