build: Release (#3211)

Author: mtrezza

.github/pull_request_template.md

@@ -4,9 +4,7 @@
 - Any contribution is under this [license](https://github.com/parse-community/parse-dashboard/blob/alpha/LICENSE).
 
 ## Issue
-<!-- Add the link to the issue that this PR closes. -->
-
-Closes: FILL_THIS_OUT
+<!-- Describe or link the issue that this PR closes. -->
 
 ## Approach
 <!-- Describe the changes in this PR. -->

Parse-Dashboard/Authentication.js

@@ -1,10 +1,14 @@
 'use strict';
 const bcrypt = require('bcryptjs');
-const csrf = require('csurf');
+const { csrfSync } = require('csrf-sync');
 const passport = require('passport');
 const LocalStrategy = require('passport-local').Strategy;
 const OTPAuth = require('otpauth')
 
+const { csrfSynchronisedProtection } = csrfSync({
+  getTokenFromRequest: (req) => req.body._csrf || req.headers['x-csrf-token'],
+});
+
 /**
  * Constructor for Authentication class
  *
@@ -27,7 +31,7 @@ function initialize(app, options) {
       const match = self.authenticate({
         name: username,
         pass: password,
-        otpCode: req.body.otpCode
+        otpCode: req.body?.otpCode
       });
       if (!match.matchingUsername) {
         return cb(null, false, { message: JSON.stringify({ text: 'Invalid username or password' }) });
@@ -81,11 +85,11 @@ function initialize(app, options) {
   app.use(passport.session());
 
   app.post('/login',
-    csrf(),
+    csrfSynchronisedProtection,
     (req,res,next) => {
       let redirect = 'apps';
       let originalRedirect = null;
-      if (req.body.redirect) {
+      if (req.body?.redirect) {
         originalRedirect = req.body.redirect;
         // Validate redirect to prevent open redirect vulnerability
         if (originalRedirect.includes('://') || originalRedirect.startsWith('//')) {
@@ -176,5 +180,6 @@ function authenticate(userToTest, usernameOnly) {
 
 Authentication.prototype.initialize = initialize;
 Authentication.prototype.authenticate = authenticate;
+Authentication.csrfProtection = csrfSynchronisedProtection;
 
 module.exports = Authentication;

Parse-Dashboard/app.js

@@ -2,7 +2,6 @@
 
 const express = require('express');
 const path = require('path');
-const csrf = require('csurf');
 const Authentication = require('./Authentication.js');
 const fs = require('fs');
 const ConfigKeyCache = require('./configKeyCache.js');
@@ -201,7 +200,7 @@ module.exports = function(config, options) {
     // Agent API endpoint for handling AI requests - scoped to specific app
     app.post('/apps/:appId/agent', async (req, res) => {
       try {
-        const { message, modelName, conversationId, permissions } = req.body;
+        const { message, modelName, conversationId, permissions } = req.body || {};
         const { appId } = req.params;
 
         if (!message || typeof message !== 'string' || message.trim() === '') {
@@ -1065,7 +1064,7 @@ You have direct access to the Parse database through function calls, so you can
       }
     }
 
-    app.get('/login', csrf(), function(req, res) {
+    app.get('/login', Authentication.csrfProtection, function(req, res) {
       let redirectURL = null;
       try {
         const url = new URL(req.url, 'http://localhost');
@@ -1116,7 +1115,7 @@ You have direct access to the Parse database through function calls, so you can
     });
 
     // For every other request, go to index.html. Let client-side handle the rest.
-    app.get('/*', function(req, res) {
+    app.get('{*splat}', function(req, res) {
       if (users && (!req.user || !req.user.isAuthenticated)) {
         const redirect = req.url.replace('/login', '');
         if (redirect.length > 1) {