fix: replace deprecated csurf and native-url packages

api/app.ts

@@ -2,7 +2,8 @@ import type { Request, RequestHandler, Response, Router } from 'express'
 import express from 'express'
 import history from 'connect-history-api-fallback'
 import cors from 'cors'
-import csrf from 'csurf'
+import cookieParser from 'cookie-parser'
+import { csrfSync } from 'csrf-sync'
 import morgan from 'morgan'
 import type { Settings, User } from './config/store.ts'
 import store from './config/store.ts'
@@ -532,6 +533,7 @@ app.use(
 		},
 	) as RequestHandler,
 )
+app.use(cookieParser())
 app.use(express.json({ limit: '50mb' }) as RequestHandler)
 app.use(
 	express.urlencoded({
@@ -541,6 +543,33 @@ app.use(
 	}) as RequestHandler,
 )
 
+// enable sessions management - must be before history middleware for CSRF to work
+app.use(
+	session({
+		name: 'zwave-js-ui-session',
+		secret: sessionSecret,
+		resave: false,
+		saveUninitialized: true, // Required for CSRF protection to work
+		store: new FileStore({
+			path: path.join(storeDir, 'sessions'),
+			logFn: (...args: any[]) => {
+				// skip ENOENT errors
+				if (
+					args &&
+					args.filter((a) => a.indexOf('ENOENT') >= 0).length === 0
+				) {
+					logger.debug(args[0])
+				}
+			},
+		}),
+		cookie: {
+			secure: !!process.env.HTTPS || !!process.env.USE_SECURE_COOKIE,
+			httpOnly: true, // prevents cookie to be sent by client javascript
+			maxAge: 24 * 60 * 60 * 1000, // one day
+		},
+	}),
+)
+
 // must be placed before history middleware
 app.use(function (req, res, next) {
 	if (pluginsRouter !== undefined) {
@@ -550,6 +579,17 @@ app.use(function (req, res, next) {
 	}
 })
 
+// CSRF token endpoint - must be before history middleware, placed here as a route
+// Session middleware will have run by the time this route is matched
+app.get('/api/csrf-token', apisLimiter, function (req, res) {
+	// Ensure session exists before generating token
+	if (!req.session) {
+		return res.status(500).json({ error: 'Session not initialized' })
+	}
+	const token = generateToken(req)
+	res.json({ token })
+})
+
 app.use(
 	// @ts-expect-error types not matching
 	history({
@@ -582,37 +622,13 @@ app.use('/', express.static(utils.joinPath(false, 'dist')))
 
 app.use(cors({ credentials: true, origin: true }))
 
-// enable sessions management
-app.use(
-	session({
-		name: 'zwave-js-ui-session',
-		secret: sessionSecret,
-		resave: false,
-		saveUninitialized: false,
-		store: new FileStore({
-			path: path.join(storeDir, 'sessions'),
-			logFn: (...args: any[]) => {
-				// skip ENOENT errors
-				if (
-					args &&
-					args.filter((a) => a.indexOf('ENOENT') >= 0).length === 0
-				) {
-					logger.debug(args[0])
-				}
-			},
-		}),
-		cookie: {
-			secure: !!process.env.HTTPS || !!process.env.USE_SECURE_COOKIE,
-			httpOnly: true, // prevents cookie to be sent by client javascript
-			maxAge: 24 * 60 * 60 * 1000, // one day
-		},
-	}),
-)
-
-// Node.js CSRF protection middleware.
-// Requires either a session middleware or cookie-parser to be initialized first.
-const csrfProtection = csrf({
-	value: (req) => req.csrfToken(),
+// Node.js CSRF protection middleware using the Synchronizer Token pattern.
+// This is more appropriate for session-based authentication than Double Submit Cookie.
+const { csrfSynchronisedProtection, generateToken } = csrfSync({
+	getTokenFromRequest: (req) => {
+		// Check multiple possible locations for the token
+		return req.body._csrf || req.query._csrf || req.headers['x-csrf-token']
+	},
 })
 
 // ### SOCKET SETUP
@@ -879,8 +895,7 @@ app.get('/api/auth-enabled', apisLimiter, function (req, res) {
 app.post(
 	'/api/authenticate',
 	loginLimiter,
-	// @ts-expect-error types not matching
-	csrfProtection,
+	csrfSynchronisedProtection,
 	async function (req, res) {
 		const token = req.body.token
 		let user: User
@@ -976,8 +991,7 @@ app.get('/api/logout', apisLimiter, isAuthenticated, function (req, res) {
 app.put(
 	'/api/password',
 	apisLimiter,
-	// @ts-expect-error types not matching
-	csrfProtection,
+	csrfSynchronisedProtection,
 	isAuthenticated,
 	async function (req, res) {
 		try {

api/lib/MqttClient.ts

@@ -20,7 +20,6 @@ import { storeDir } from '../config/app.ts'
 import { ensureDir } from './utils.ts'
 import { Manager } from 'mqtt-jsonl-store'
 import { join } from 'node:path'
-import url from 'native-url'
 
 const logger = module('Mqtt')
 
@@ -351,10 +350,21 @@ class MqttClient extends TypedEventEmitter<MqttClientEventCallbacks> {
 			MqttClient.NAME_PREFIX + (process.env.MQTT_NAME || config.name),
 		)
 
-		const parsed = url.parse(config.host || '')
+		let parsed: URL | null = null
 		let protocol = 'mqtt'
+		let hostname = config.host
 
-		if (parsed.protocol) protocol = parsed.protocol.replace(/:$/, '')
+		// Try to parse as URL if it contains a protocol
+		try {
+			parsed = new URL(config.host || '')
+			if (parsed.protocol) {
+				protocol = parsed.protocol.replace(/:$/, '')
+				hostname = parsed.hostname
+			}
+		} catch {
+			// If parsing fails, treat as hostname without protocol
+			hostname = config.host
+		}
 
 		const options: IClientOptions = {
 			clientId: this._clientID,
@@ -397,9 +407,7 @@ class MqttClient extends TypedEventEmitter<MqttClientEventCallbacks> {
 		}
 
 		try {
-			const serverUrl = `${protocol}://${
-				parsed.hostname || config.host
-			}:${config.port}`
+			const serverUrl = `${protocol}://${hostname || config.host}:${config.port}`
 			logger.info(`Connecting to ${serverUrl}`)
 
 			const client = connect(serverUrl, options)