[MEDIUM] No CSRF protection on tRPC mutations #110
Description
Security Issue: Missing CSRF Protection
Severity: MEDIUM
Location: All tRPC mutation endpoints
Description
No CSRF token validation on state-modifying operations. Malicious web pages could potentially trigger mutations.
Current Mitigations
- Partition isolation reduces attack surface ✓
- SameSite=lax on cookies helps ✓
- Desktop app context (lower risk than web)
Risk
If authentication cookie is set, malicious pages could:
- Create/delete projects
- Modify chat sessions
- Execute Claude operations
- Change settings
Recommendation
1. Implement CSRF Token
// Generate token on auth
const csrfToken = crypto.randomBytes(32).toString('hex')
session.set('csrfToken', csrfToken)
// Validate on mutations
const validateCSRF = (token: string, session: Session) => {
if (token !== session.get('csrfToken')) {
throw new TRPCError({ code: 'UNAUTHORIZED' })
}
}2. Custom Header
// Client sends custom header
headers: {
'X-1Code-Request': 'true'
}
// Server validates
if (req.headers['x-1code-request'] !== 'true') {
throw new Error('Invalid request origin')
}3. Origin Validation
// Validate request origin
const origin = req.headers.origin || req.headers.referer
if (!isValidOrigin(origin)) {
throw new Error('Invalid origin')
}Priority
Medium - Desktop app has lower CSRF risk than web apps, but still worth implementing.
Labels: security, csrf, trpc