feat(client, server): simple csrf protection plugin (#346)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Introduced a new CSRF protection plugin that enhances security by
validating token authenticity.
- Added a sidebar link for easy access to the CSRF protection
documentation.

- **Documentation**
- Updated the Batch Request/Response Plugin docs to clarify support for
custom implementations.
- Released detailed setup and integration instructions for the new CSRF
protection plugin.
  - Added new documentation for the Simple CSRF Protection Plugin.

- **Tests**
- Added comprehensive tests to verify CSRF protection functionality on
both client and server sides.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: unnoq

apps/content/.vitepress/config.ts

@@ -112,6 +112,7 @@ export default defineConfig({
             { text: 'Batch Request/Response', link: '/docs/plugins/batch-request-response' },
             { text: 'Client Retry', link: '/docs/plugins/client-retry' },
             { text: 'Body Limit', link: '/docs/plugins/body-limit' },
+            { text: 'Simple CSRF Protection', link: '/docs/plugins/simple-csrf-protection' },
           ],
         },
         {

apps/content/docs/plugins/batch-request-response.md

@@ -29,7 +29,7 @@ const handler = new RPCHandler(router, {
 ```
 
 ::: info
-The `handler` can be any supported oRPC handler, such as [RPCHandler](/docs/rpc-handler) or [OpenAPIHandler](/docs/openapi/openapi-handler). Note that this plugin uses its own protocol for batching requests and responses, which is different from the handler’s native protocol.
+The `handler` can be any supported oRPC handler, such as [RPCHandler](/docs/rpc-handler), [OpenAPIHandler](/docs/openapi/openapi-handler) or custom implementations. Note that this plugin uses its own protocol for batching requests and responses, which is different from the handler’s native protocol.
 :::
 
 ### Client
@@ -38,8 +38,9 @@ To use the `BatchLinkPlugin`, define at least one group. Requests within the sam
 
 ```ts twoslash
 import { RPCLink } from '@orpc/client/fetch'
-import { BatchLinkPlugin } from '@orpc/client/plugins'
 // ---cut---
+import { BatchLinkPlugin } from '@orpc/client/plugins'
+
 const link = new RPCLink({
   url: 'https://api.example.com/rpc',
   plugins: [
@@ -55,6 +56,10 @@ const link = new RPCLink({
 })
 ```
 
+::: info
+The `link` can be any supported oRPC link, such as [RPCLink](/docs/client/rpc-link), [OpenAPILink](/docs/openapi/client/openapi-link), or custom implementations.
+:::
+
 ## Limitations
 
 The plugin does not support [AsyncIteratorObject](/docs/rpc-handler#supported-data-types) or [File/Blob](/docs/rpc-handler#supported-data-types) in responses (requests will auto fall back to the default behavior). To exclude unsupported procedures, use the `exclude` option:

apps/content/docs/plugins/simple-csrf-protection.md

@@ -0,0 +1,54 @@
+---
+title: Simple CSRF Protection Plugin
+description: Simple CSRF Protection plugin for oRPC.
+---
+
+# Simple CSRF Protection
+
+This plugin adds basic Cross-Site Request Forgery (CSRF) protection to your oRPC application. It helps ensure that requests to your procedures originate from JavaScript code, not from other sources like standard HTML forms or direct browser navigation.
+
+## When to Use
+
+This plugin is beneficial if your application stores sensitive data (like session or auth tokens) in Cookie storage using `SameSite=Lax` (the default) or `SameSite=None`.
+
+## Setup
+
+This plugin requires configuration on both the server and client sides.
+
+### Server
+
+```ts twoslash
+import { RPCHandler } from '@orpc/server/fetch'
+import { router } from './shared/planet'
+// ---cut---
+import { SimpleCsrfProtectionHandlerPlugin } from '@orpc/server/plugins'
+
+const handler = new RPCHandler(router, {
+  plugins: [
+    new SimpleCsrfProtectionHandlerPlugin()
+  ],
+})
+```
+
+::: info
+The `handler` can be any supported oRPC handler, such as [RPCHandler](/docs/rpc-handler), [OpenAPIHandler](/docs/openapi/openapi-handler), or custom implementations.
+:::
+
+### Client
+
+```ts twoslash
+import { RPCLink } from '@orpc/client/fetch'
+// ---cut---
+import { SimpleCsrfProtectionLinkPlugin } from '@orpc/client/plugins'
+
+const link = new RPCLink({
+  url: 'https://api.example.com/rpc',
+  plugins: [
+    new SimpleCsrfProtectionLinkPlugin(),
+  ],
+})
+```
+
+::: info
+The `link` can be any supported oRPC link, such as [RPCLink](/docs/client/rpc-link), [OpenAPILink](/docs/openapi/client/openapi-link), or custom implementations.
+:::

packages/client/src/plugins/index.ts

@@ -1,2 +1,3 @@
 export * from './batch'
 export * from './retry'
+export * from './simple-csrf-protection'

packages/client/src/plugins/simple-csrf-protection.test.ts

@@ -0,0 +1,62 @@
+import { RPCHandler } from '../../../server/src/adapters/fetch/rpc-handler'
+import { os } from '../../../server/src/builder'
+import { SimpleCsrfProtectionHandlerPlugin } from '../../../server/src/plugins/simple-csrf-protection'
+import { RPCLink } from '../adapters/fetch'
+import { SimpleCsrfProtectionLinkPlugin } from './simple-csrf-protection'
+
+describe('simpleCsrfProtectionLinkPlugin', () => {
+  const handler = new RPCHandler({
+    ping: os.handler(() => 'pong'),
+  }, {
+    plugins: [
+      new SimpleCsrfProtectionHandlerPlugin(),
+    ],
+  })
+
+  const link = new RPCLink({
+    url: new URL('http://localhost/prefix'),
+    fetch: async (request) => {
+      const { response } = await handler.handle(request, { prefix: '/prefix' })
+
+      return response ?? new Response(null, {
+        status: 500,
+      })
+    },
+    plugins: [
+      new SimpleCsrfProtectionLinkPlugin(),
+    ],
+  })
+
+  it('should work', async () => {
+    await expect(
+      link.call(['ping'], 'input', { context: {} }),
+    ).resolves.toEqual('pong')
+  })
+
+  it('can exclude procedure', async () => {
+    const exclude = vi.fn(() => true)
+
+    const link = new RPCLink({
+      url: new URL('http://localhost/prefix'),
+      fetch: async (request) => {
+        const { response } = await handler.handle(request, { prefix: '/prefix' })
+
+        return response ?? new Response(null, {
+          status: 500,
+        })
+      },
+      plugins: [
+        new SimpleCsrfProtectionLinkPlugin({ exclude }),
+      ],
+    })
+
+    await expect(
+      link.call(['ping'], 'input', { context: {} }),
+    ).rejects.toThrowError('Invalid CSRF token')
+
+    expect(exclude).toHaveBeenCalledTimes(1)
+    expect(exclude).toHaveBeenCalledWith(expect.objectContaining({
+      path: ['ping'],
+    }))
+  })
+})

packages/client/src/plugins/simple-csrf-protection.ts

@@ -0,0 +1,67 @@
+import type { StandardLinkClientInterceptorOptions, StandardLinkOptions, StandardLinkPlugin } from '../adapters/standard'
+import type { ClientContext } from '../types'
+import { value, type Value } from '@orpc/shared'
+
+export interface SimpleCsrfProtectionLinkPluginOptions<T extends ClientContext> {
+  /**
+   * The name of the header to check.
+   *
+   * @default 'x-csrf-token'
+   */
+  headerName?: Value<string, [options: StandardLinkClientInterceptorOptions<T>]>
+
+  /**
+   * The value of the header to check.
+   *
+   * @default 'orpc'
+   *
+   */
+  headerValue?: Value<string, [options: StandardLinkClientInterceptorOptions<T>]>
+
+  /**
+   * Exclude a procedure from the plugin.
+   *
+   * @default false
+   */
+  exclude?: Value<boolean, [options: StandardLinkClientInterceptorOptions<T>]>
+}
+
+export class SimpleCsrfProtectionLinkPlugin<T extends ClientContext> implements StandardLinkPlugin<T> {
+  private readonly headerName: Exclude<SimpleCsrfProtectionLinkPluginOptions<T>['headerName'], undefined>
+  private readonly headerValue: Exclude<SimpleCsrfProtectionLinkPluginOptions<T>['headerValue'], undefined>
+  private readonly exclude: Exclude<SimpleCsrfProtectionLinkPluginOptions<T>['exclude'], undefined>
+
+  constructor(options: SimpleCsrfProtectionLinkPluginOptions<T> = {}) {
+    this.headerName = options.headerName ?? 'x-csrf-token'
+    this.headerValue = options.headerValue ?? 'orpc'
+    this.exclude = options.exclude ?? false
+  }
+
+  order = 8_000_000
+
+  init(options: StandardLinkOptions<T>): void {
+    options.clientInterceptors ??= []
+
+    options.clientInterceptors.push(async (options) => {
+      const excluded = await value(this.exclude, options)
+
+      if (excluded) {
+        return options.next()
+      }
+
+      const headerName = await value(this.headerName, options)
+      const headerValue = await value(this.headerValue, options)
+
+      return options.next({
+        ...options,
+        request: {
+          ...options.request,
+          headers: {
+            ...options.request.headers,
+            [headerName]: headerValue,
+          },
+        },
+      })
+    })
+  }
+}

packages/server/src/plugins/index.ts

@@ -1,3 +1,4 @@
 export * from './batch'
 export * from './cors'
 export * from './response-headers'
+export * from './simple-csrf-protection'

packages/server/src/plugins/simple-csrf-protection.test.ts

@@ -0,0 +1,79 @@
+import { RPCHandler } from '../adapters/fetch'
+import { os } from '../builder'
+import { SimpleCsrfProtectionHandlerPlugin } from './simple-csrf-protection'
+
+beforeEach(() => {
+  vi.clearAllMocks()
+})
+
+describe('simpleCsrfProtectionHandlerPlugin', () => {
+  const interceptor = vi.fn(({ next }) => next())
+
+  const handler = new RPCHandler({
+    ping: os.handler(() => 'pong'),
+  }, {
+    plugins: [
+      new SimpleCsrfProtectionHandlerPlugin(),
+    ],
+    rootInterceptors: [interceptor],
+  })
+
+  it('should work', async () => {
+    await expect(
+      handler.handle(new Request('http://localhost/ping?data=%7B%7D')),
+    ).resolves.toEqual({ matched: true, response: expect.toSatisfy(response => response.status === 403) })
+
+    await expect(
+      handler.handle(new Request('http://localhost/ping?data=%7B%7D', {
+        headers: {
+          'x-csrf-token': 'orpc',
+        },
+      })),
+    ).resolves.toEqual({ matched: true, response: expect.toSatisfy(response => response.status === 200) })
+  })
+
+  it('should throw error when interceptor messes with the context', async () => {
+    interceptor.mockImplementation((options) => {
+      return options.next({
+        ...options,
+        context: {}, // <-- interceptor messes with the context
+      })
+    })
+
+    await expect(
+      handler.handle(new Request('http://localhost/ping?data=%7B%7D')),
+    ).resolves.toEqual({ matched: true, response: expect.toSatisfy(response => response.status === 500) })
+
+    await expect(
+      handler.handle(new Request('http://localhost/ping?data=%7B%7D', {
+        headers: {
+          'x-csrf-token': 'orpc',
+        },
+      })),
+    ).resolves.toEqual({ matched: true, response: expect.toSatisfy(response => response.status === 500) })
+  })
+
+  it('can exclude procedure', async () => {
+    const exclude = vi.fn(() => true)
+
+    const ping = os.handler(() => 'pong')
+
+    const handler = new RPCHandler({ ping }, {
+      plugins: [
+        new SimpleCsrfProtectionHandlerPlugin({
+          exclude,
+        }),
+      ],
+    })
+
+    await expect(
+      handler.handle(new Request('http://localhost/ping?data=%7B%7D')),
+    ).resolves.toEqual({ matched: true, response: expect.toSatisfy(response => response.status === 200) })
+
+    expect(exclude).toHaveBeenCalledTimes(1)
+    expect(exclude).toHaveBeenCalledWith(expect.objectContaining({
+      path: ['ping'],
+      procedure: ping,
+    }))
+  })
+})