CSRF connect middlewares using signed tokens
Parameters
| parameter | type | description |
|---|---|---|
secret |
string | a server side secret |
[opts] |
Object | optional: options |
[opts.name=csrf] |
string | optional: header & cookie name of token |
[opts.cookie] |
Object | optional: cookie options - defaults to {path: '/', httpOnly: true, secure: true, sameSite: true} |
[opts.token] |
Object | optional: signedToken options - defaults to {digest: 'sha256', commonlen: 24, tokenlen: 48} |
[opts.ignoreMethods] |
Array<string> | optional: ignore methods ['HEAD', 'OPTIONS'] |
[opts.host] |
string | optional: hostname of service to check against |
Connect middleware (req, res, next) => {}
Creates method req.csrfToken() to get CSRF token as well as the secret for
signing in req.session.csrf if available or sets a csrf cookie.
Name of session key and cookie name can be changed via opts.name.
Default name is csrf.
NOTE: If used together with verifyXhr() only set CSRF Cookie on successful login!
Connect middleware (req, res, next) => {}
Obtains a token from a request using either req.body.csrf, req.query.csrf or req.headers['x-csrf-token'] and verifies it with the secret from req.session.csrf if available or from the csrf cookie.
body-parser is required to obtain the token from the request body.
Name of session key and cookie name can be changed via opts.name
Connect middleware (req, res, next) => {}
Verifies the cookie only; For token based xhr requests. See Your API-Centric Web App Is Probably Not Safe Against XSS and CSRF.
NOTE: Only set CSRF Cookie with create() on successful login!
Connect middleware (req, res, next) => {} which chains create and verify.
See ./example/app.js. Run with node exampe/app.js and open http://localhost:3000 in browser.
const Csrf = require('signed-token-csrf')
const bodyParser = require('body-parser')
const session = require('express-session')
const app = require('express')()
const csrf = new Csrf('csrfSecret', { cookie: { secure: false } })
// works with or without a session
app.use(
session({ secret: 'sessionSecret', resave: false, saveUninitialized: true })
)
app.use(csrf.checkOrigin)
app.get(
'/form',
csrf.create, // adds CSRF protection
(req, res) => {
// render a form
res.end(`
<form action="/form" method="POST">
<input type="hidden" name="csrf" value="${req.csrfToken()}" >
<input type="text" name="text" value="some text"><br>
<button>Submit</button>
</form>
`)
}
)
app.post(
'/form', // render the submitted values or throw
bodyParser.urlencoded({ extended: false }),
csrf.verify,
(req, res) => {
res.end(`
<h2>Parameters</h2>
<pre>
text: ${req.body.text}
csrf: ${req.body.csrf}
</pre>
`)
}
)
app.use('/', (req, res) => {
res.redirect('/form')
})
app.listen(3000)Run example and browse to http://localhost:3000/xhr
app.use(csrf.checkOrigin)
app.get(
'/api/login',
(req, res, next) => {
// prevent creating a new csrf cookie if authenticated
const err =
req.headers.authorization && httpError(403, 'already authenticated')
next(err)
},
csrf.create,
(req, res) => res.json({ token: 'your-auth-token' })
)
app.use('/api', csrf.verifyXhr, (req, res) => res.json({}))Requires nodejs.
$ npm install signed-token-csrf$ npm testUnlicense https://unlicense.org