csrf protection

isshaddad · isshaddad · commit 270c7530dbc9 · 2026-01-26T15:09:21.000-05:00
diff --git a/apps/webapp/app/routes/admin._index.tsx b/apps/webapp/app/routes/admin._index.tsx
@@ -22,7 +22,11 @@ import {
 import { useUser } from "~/hooks/useUser";
 import { adminGetUsers, redirectWithImpersonation } from "~/models/admin.server";
 import { requireUser, requireUserId } from "~/services/session.server";
+import {
+  validateAndConsumeImpersonationToken,
+} from "~/services/impersonation.server";
 import { createSearchParams } from "~/utils/searchParams";
+import { logger } from "~/services/logger.server";
 
 export const SearchParams = z.object({
   page: z.coerce.number().optional(),
@@ -48,8 +52,23 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   // Check if this is an impersonation request via query parameter (e.g., from Plain customer cards)
   const url = new URL(request.url);
   const impersonateUserId = url.searchParams.get("impersonate");
+  const impersonationToken = url.searchParams.get("impersonationToken");
 
   if (impersonateUserId) {
+    // Require both userId and token for GET-based impersonation
+    if (!impersonationToken) {
+      logger.warn("Impersonation request missing token");
+      return redirect("/");
+    }
+
+    // Validate and consume the token (prevents replay attacks)
+    const validatedUserId = await validateAndConsumeImpersonationToken(impersonationToken);
+
+    if (!validatedUserId || validatedUserId !== impersonateUserId) {
+      logger.warn("Invalid or expired impersonation token");
+      return redirect("/");
+    }
+
     return handleImpersonationRequest(request, impersonateUserId);
   }
 
diff --git a/apps/webapp/app/routes/api.v1.plain.customer-cards.ts b/apps/webapp/app/routes/api.v1.plain.customer-cards.ts
@@ -6,6 +6,7 @@ import { z } from "zod";
 import { prisma } from "~/db.server";
 import { env } from "~/env.server";
 import { logger } from "~/services/logger.server";
+import { generateImpersonationToken } from "~/services/impersonation.server";
 
 // Schema for the request body from Plain
 const PlainCustomerCardRequestSchema = z.object({
@@ -142,8 +143,10 @@ export async function action({ request }: ActionFunctionArgs) {
     for (const cardKey of cardKeys) {
       switch (cardKey) {
         case "account-details": {
-          // Build the impersonate URL
-          const impersonateUrl = `${env.APP_ORIGIN}/admin?impersonate=${user.id}`;
+          // Generate a signed one-time token for impersonation
+          const impersonationToken = await generateImpersonationToken(user.id);
+          // Build the impersonate URL with token for CSRF protection
+          const impersonateUrl = `${env.APP_ORIGIN}/admin?impersonate=${user.id}&impersonationToken=${encodeURIComponent(impersonationToken)}`;
 
           cards.push({
             key: "account-details",
diff --git a/apps/webapp/app/services/impersonation.server.ts b/apps/webapp/app/services/impersonation.server.ts
@@ -1,5 +1,9 @@
 import { createCookieSessionStorage, type Session } from "@remix-run/node";
+import { SignJWT, jwtVerify, errors } from "jose";
+import { singleton } from "~/utils/singleton";
+import { createRedisClient, type RedisClient } from "~/redis.server";
 import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
 
 export const impersonationSessionStorage = createCookieSessionStorage({
   cookie: {
@@ -42,3 +46,89 @@ export async function clearImpersonationId(request: Request) {
 
   return session;
 }
+
+// Impersonation token utilities for CSRF protection
+const IMPERSONATION_TOKEN_EXPIRY_SECONDS = 5 * 60; // 5 minutes
+
+function getImpersonationTokenSecret(): Uint8Array {
+  return new TextEncoder().encode(env.SESSION_SECRET);
+}
+
+function getImpersonationTokenRedisClient(): RedisClient {
+  return singleton(
+    "impersonationTokenRedis",
+    () =>
+      createRedisClient("impersonation:token", {
+        host: env.CACHE_REDIS_HOST,
+        port: env.CACHE_REDIS_PORT,
+        username: env.CACHE_REDIS_USERNAME,
+        password: env.CACHE_REDIS_PASSWORD,
+        tlsDisabled: env.CACHE_REDIS_TLS_DISABLED === "true",
+        clusterMode: env.CACHE_REDIS_CLUSTER_MODE_ENABLED === "1",
+        keyPrefix: "impersonation:token:",
+      })
+  );
+}
+
+/**
+ * Generate a signed one-time impersonation token for a user
+ */
+export async function generateImpersonationToken(userId: string): Promise<string> {
+  const secret = getImpersonationTokenSecret();
+  const now = Math.floor(Date.now() / 1000);
+
+  const token = await new SignJWT({ userId })
+    .setProtectedHeader({ alg: "HS256" })
+    .setIssuedAt(now)
+    .setExpirationTime(now + IMPERSONATION_TOKEN_EXPIRY_SECONDS)
+    .setIssuer("https://trigger.dev")
+    .setAudience("https://trigger.dev/admin")
+    .sign(secret);
+
+  return token;
+}
+
+/**
+ * Validate and consume an impersonation token (prevents replay attacks)
+ */
+export async function validateAndConsumeImpersonationToken(
+  token: string
+): Promise<string | undefined> {
+  try {
+    const secret = getImpersonationTokenSecret();
+
+    // Verify the token signature and expiration
+    const { payload } = await jwtVerify(token, secret, {
+      issuer: "https://trigger.dev",
+      audience: "https://trigger.dev/admin",
+    });
+
+    const userId = payload.userId as string | undefined;
+    if (!userId || typeof userId !== "string") {
+      return undefined;
+    }
+
+    // Check if token has already been used (prevent replay attacks)
+    const redis = getImpersonationTokenRedisClient();
+    const tokenKey = token;
+
+    // Try to set the key with NX (only if not exists) and expiration
+    // This atomically marks the token as used
+    const result = await redis.set(tokenKey, "1", "EX", IMPERSONATION_TOKEN_EXPIRY_SECONDS, "NX");
+
+    if (result !== "OK") {
+      // Token was already used
+      return undefined;
+    }
+
+    return userId;
+  } catch (error) {
+    if (error instanceof errors.JWTExpired || error instanceof errors.JWTInvalid) {
+      return undefined;
+    }
+    logger.error("Error validating impersonation token", {
+      error: error instanceof Error ? error.message : String(error),
+    });
+    return undefined;
+  }
+}
