fix: Security migration from csurf to csrf-sync#3188
Merged
mtrezza merged 1 commit intoparse-community:alphafrom Feb 7, 2026
Merged
fix: Security migration from csurf to csrf-sync#3188mtrezza merged 1 commit intoparse-community:alphafrom
mtrezza merged 1 commit intoparse-community:alphafrom
Conversation
|
🚀 Thanks for opening this pull request! |
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
mtrezza
changed the title
📝 WalkthroughWalkthroughThe pull request migrates CSRF protection from the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
mtrezza
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
Parse-Dashboard/app.js (1)
1110-1110:⚠️ Potential issue | 🔴 Critical
req.csrfToken()is not a function with csrf-sync — this will throw at runtime.As detailed in the
Authentication.jsreview,csrf-syncdoes not addcsrfToken()to the request object. This line will throwTypeError: req.csrfToken is not a functionwhen any user visits the login page, completely breaking authentication.
🤖 Fix all issues with AI agents
In `@Parse-Dashboard/app.js`:
- Line 1067: The GET /login route uses Authentication.csrfProtection
(csrfSynchronisedProtection) which ignores GET methods and therefore does not
generate req.csrfToken(); update the route handler for app.get('/login',
Authentication.csrfProtection, ...) to explicitly call
Authentication.generateToken(req) (or the equivalent generateToken function
referenced in Authentication.js) to create/retrieve the CSRF token and pass it
into the rendered login page (e.g., add the token to the view locals or template
data) so forms can embed the token; ensure you use the same token API defined in
Authentication.js and keep the middleware in place.
In `@Parse-Dashboard/Authentication.js`:
- Around line 3-10: The code currently only destructures
csrfSynchronisedProtection from csrfSync but not generateToken, so
req.csrfToken() in the login GET handler will break; update the csrfSync call in
Authentication.js to also destructure and export generateToken (alongside
csrfSynchronisedProtection) and then replace the call to req.csrfToken() in the
login GET handler in app.js with generateToken(req) to obtain and embed the CSRF
token.
parseplatformorg
pushed a commit
that referenced
this pull request
Feb 7, 2026
# [8.5.0-alpha.2](8.5.0-alpha.1...8.5.0-alpha.2) (2026-02-07) ### Bug Fixes * Security migration from csurf to csrf-sync ([#3188](#3188)) ([a95d8a3](a95d8a3))
Contributor
|
🎉 This change has been released in version 8.5.0-alpha.2 |
parseplatformorg
pushed a commit
that referenced
this pull request
Feb 12, 2026
# [8.5.0](8.4.0...8.5.0) (2026-02-12) ### Bug Fixes * Auto-formatting not applied when Cloud Config parameter value is outdated and re-fetched from server ([#3182](#3182)) ([84eab36](84eab36)) * Clicking reload button in info panel may display fetched data in incorrect panel ([#3189](#3189)) ([b348ef5](b348ef5)) * Role linking in ACL fails with type error ([#3095](#3095)) ([2070d29](2070d29)) * Security migration from csurf to csrf-sync ([#3188](#3188)) ([a95d8a3](a95d8a3)) * View configuration dialog looses focus while typing and lacks syntax highlighting ([#3183](#3183)) ([715fe8d](715fe8d)) ### Features * Add keyboard shortcut to scroll info panels to top ([#3199](#3199)) ([7535626](7535626)) * Add option to reload all or only selected rows after invoking script ([#3200](#3200)) ([173b953](173b953)) * Add reload button to info panel on long loading time ([#3184](#3184)) ([3712d96](3712d96)) * Add support for script execution invoking dashboard form for user input ([#3201](#3201)) ([159f99d](159f99d))
Contributor
|
🎉 This change has been released in version 8.5.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue
Security migration from csurf to csrf-sync
Summary by CodeRabbit
Security
Dependencies