Implement anti-CSRF for logout

packages/backend/src/routers/logout.js

@@ -29,6 +29,11 @@ router.post('/logout', auth, express.json(), async (req, res, next)=>{
     // check subdomain
     if(require('../helpers').subdomain(req) !== 'api' && require('../helpers').subdomain(req) !== '')
         next();
+    // check anti-csrf token
+    const svc_antiCSRF = req.services.get('anti-csrf');
+    if ( ! svc_antiCSRF.consume_token(req.user.uuid, req.body.anti_csrf) ) {
+        return res.status(400).json({ message: 'incorrect anti-CSRF token' });
+    }
     // delete cookie
     res.clearCookie(config.cookie_name);
     // delete session

src/initgui.js

@@ -1981,6 +1981,8 @@ window.initgui = async function(){
 
         // logout
         try{
+            const resp = await fetch(`${window.gui_origin}/get-anticsrf-token`);
+            const { token } = await resp.json();
             await $.ajax({
                 url: window.gui_origin + "/logout",
                 type: 'POST',
@@ -1989,6 +1991,7 @@ window.initgui = async function(){
                 headers: {
                     "Authorization": "Bearer " + window.auth_token
                 },
+                data: JSON.stringify({ anti_csrf: token }),
                 statusCode: {
                     401: function () {
                     },