import type { Request, Response, NextFunction } from 'express';
const MUTATION_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
const SKIP_PATHS = new Set(['/auth/login']);
export function csrfMiddleware(req: Request, res: Response, next: NextFunction): void {
// Only check mutations (not GETs)
if (!MUTATION_METHODS.has(req.method)) {
next();
return;
}
// Skip login
if (SKIP_PATHS.has(req.path)) {
next();
return;
}
const session = (req as any).dashboardSession;
if (!session) {
next();
return;
}
const headerToken = req.headers['x-csrf-token'] as string | undefined;
if (!headerToken || headerToken !== session.csrf_token) {
res.status(403).json({ error: 'Invalid or missing CSRF token' });
return;
}
next();
}
