Ramjat19 · Ramjat19 · Nov 5, 2025 · Nov 4, 2025 · Nov 5, 2025
diff --git a/.gitignore b/.gitignore
@@ -139,3 +139,5 @@ dist
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
 .vite/
+
+Temp folder/
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -21,6 +21,7 @@
     "@types/socket.io": "^3.0.1",
     "bcryptjs": "^3.0.2",
     "cors": "^2.8.5",
+  "cookie-parser": "^1.4.6",
     "dotenv": "^17.2.3",
     "express": "^5.1.0",
     "express-rate-limit": "^8.2.0",
@@ -44,6 +45,7 @@
     "supertest": "^7.1.4",
     "ts-jest": "^29.4.4",
     "ts-node-dev": "^2.0.0",
+    "@types/cookie-parser": "^1.4.3",
     "typescript": "^5.9.2"
   }
 }
diff --git a/backend/src/app.ts b/backend/src/app.ts
@@ -1,4 +1,8 @@
+import dotenv from "dotenv";
+dotenv.config();
+
 import express from "express";
+import cookieParser from 'cookie-parser';
 import { createServer } from "http";
 import cors from "cors";
 import { 
@@ -7,7 +11,8 @@
   generalLimiter, 
   speedLimiter, 
   securityHeaders, 
-  requestSizeLimiter 
+  requestSizeLimiter,
+  csrfProtection
 } from "./middleware/security";
 import healthRoutes from "./routes/health";
 import authRoutes from "./routes/auth";
@@ -30,6 +35,10 @@
   app.use(helmetConfig); // Security headers
   app.use(securityHeaders); // Additional custom security headers
   app.use(corsConfig); // CORS policy
+  // Cookie parser (needed for refresh token cookie parsing)
+  app.use(cookieParser());
+  // CSRF Protection (defense in depth with SameSite cookies)
+  app.use(csrfProtection);
   app.use(requestSizeLimiter); // Request size limiting
   // Note: Rate limiting now applied per-route for better control
 

diff --git a/backend/src/middleware/security.ts b/backend/src/middleware/security.ts
@@ -105,6 +105,12 @@ export const authLimiter = createRateLimit(
   'Too many authentication attempts, please try again later'
 );
 
+export const refreshLimiter = createRateLimit(
+  15 * 60 * 1000, // 15 minutes
+  30, // 30 refresh attempts per window
+  'Too many token refresh attempts, please try again later'
+);
+
 export const generalLimiter = createRateLimit(
   15 * 60 * 1000, // 15 minutes
   500, // 500 requests per window (increased for better UX)
@@ -201,4 +207,57 @@ export const securityHeaders = (req: Request, res: Response, next: NextFunction)
   res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
 
   next();
-};
+};
+
+// CSRF Protection via Origin/Referer Validation (defense in depth with SameSite cookies)
+export const csrfProtection = (req: Request, res: Response, next: NextFunction) => {
+  // Skip CSRF for GET, HEAD, OPTIONS (safe methods)
+  if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {
+    return next();
+  }
+
+  // Get origin or referer
+  const origin = req.get('origin');
+  const referer = req.get('referer');
+
+  // In development, be more lenient
+  if (process.env.NODE_ENV === 'development') {
+    return next();
+  }
+
+  // Build allowed origins
+  const envList = (process.env.FRONTEND_URLS || process.env.FRONTEND_URL || '')
+    .split(',')
+    .map(s => s.trim())
+    .filter(Boolean);
+
+  const allowedOrigins = [
+    'http://localhost:3000',
+    'http://localhost:5173',
+    'https://collab-code-review.vercel.app',
+    'https://collab-code-review-ram-prasads-projects-12031425.vercel.app',
+    ...envList
+  ];
+
+  // Check origin
+  if (origin) {
+    const isAllowed = allowedOrigins.some(allowed => origin === allowed) ||
+                     /https?:\/\/[a-z0-9-]+\.vercel\.app$/i.test(origin);
+    if (isAllowed) {
+      return next();
+    }
+  }
+
+  // Check referer as fallback
+  if (referer) {
+    const isAllowed = allowedOrigins.some(allowed => referer.startsWith(allowed)) ||
+                     /https?:\/\/[a-z0-9-]+\.vercel\.app/i.test(referer);
+    if (isAllowed) {
+      return next();
+    }
+  }
+
+  // If no origin/referer or they don't match, reject
+  console.warn(`CSRF protection blocked request from origin: ${origin}, referer: ${referer}`);
+  res.status(403).json({ error: 'CSRF validation failed' });
+};
diff --git a/backend/src/models/RefreshToken.ts b/backend/src/models/RefreshToken.ts
@@ -0,0 +1,30 @@
+import mongoose, { Schema, Document } from 'mongoose';
+
+export interface IRefreshToken extends Document {
+  user: mongoose.Types.ObjectId;
+  tokenHash: string;
+  expiresAt: Date;
+  createdAt: Date;
+  createdByIp?: string;
+  revoked?: boolean;
+  revokedAt?: Date;
+  revokedByIp?: string;
+  replacedByToken?: string;
+}
+
+const refreshTokenSchema = new Schema<IRefreshToken>(
+  {
+    user: { type: Schema.Types.ObjectId, ref: 'User', required: true },
+    tokenHash: { type: String, required: true, index: true },
+    expiresAt: { type: Date, required: true },
+    createdAt: { type: Date, default: Date.now },
+    createdByIp: { type: String },
+    revoked: { type: Boolean, default: false },
+    revokedAt: { type: Date },
+    revokedByIp: { type: String },
+    replacedByToken: { type: String }
+  },
+  { timestamps: false }
+);
+
+export default mongoose.model<IRefreshToken>('RefreshToken', refreshTokenSchema);