From 60552d9d86766e0052583cd99e163dcb3999fde7 Mon Sep 17 00:00:00 2001
From: James <james@trbl.design>
Date: Fri, 21 Aug 2020 15:20:21 -0400
Subject: [PATCH] implements potential csrf protection

---
 demo/payload.config.js    |  9 +++++++++
 src/auth/getExtractJWT.js | 10 +++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/demo/payload.config.js b/demo/payload.config.js
index ce02c65b5d..4f7466c3ca 100644
--- a/demo/payload.config.js
+++ b/demo/payload.config.js
@@ -28,6 +28,11 @@ const GlobalWithStrictAccess = require('./globals/GlobalWithStrictAccess');
 module.exports = {
   admin: {
     user: 'admins',
+    meta: {
+      titleSuffix: '- Payload',
+      ogImage: '/static/find-image-here.jpg',
+      favicon: '/img/whatever.png',
+    },
     disable: false,
     components: {
       layout: {
@@ -35,6 +40,10 @@ module.exports = {
       },
     },
   },
+  csrf: [
+    'http://localhost:3000',
+    'https://other-app-here.com',
+  ],
   collections: [
     Admin,
     AllFields,
diff --git a/src/auth/getExtractJWT.js b/src/auth/getExtractJWT.js
index 909c7387f0..7297cdbe79 100644
--- a/src/auth/getExtractJWT.js
+++ b/src/auth/getExtractJWT.js
@@ -10,9 +10,13 @@ const getExtractJWT = (config) => (req) => {
   const cookies = parseCookies(req);
   const tokenCookieName = `${config.cookiePrefix}-token`;
 
-  if (cookies && cookies[tokenCookieName]) {
-    const token = cookies[tokenCookieName];
-    return token;
+  if (cookies && cookies[tokenCookieName] && Array.isArray(config.csrf)) {
+    const { headers: { origin } = {} } = req;
+
+    if (config.csrf.indexOf(origin) > -1) {
+      const token = cookies[tokenCookieName];
+      return token;
+    }
   }
 
   return null;