@companieshouse/web-security-node - npm Package Compare versions

Comparing version 3.0.2 to 3.1.0

dist/csrf-protection-middleware.js

		@@ -57,2 +57,3 @@ "use strict";
		const sessionCsrfToken = req.session.get(SessionKey_1.SessionKey.CsrfToken);
		const applyCsrfTokenToLocals = (csrfTokenToUse) => res.locals.csrfToken = csrfTokenToUse;
		if (MUTABLE_METHODS.includes(req.method)) {
		@@ -67,11 +68,19 @@ if (!sessionCsrfToken) {
		}
		res.render = modifiedRender(res, sessionCsrfToken);
		applyCsrfTokenToLocals(sessionCsrfToken);
		}
		else if (!sessionCsrfToken && options.createWhenCsrfTokenAbsent !== false) {
		const csrfToken = csrfTokenFactory();
		const newSessionData = Object.assign(Object.assign({}, (req.session.data)), { [SessionKey_1.SessionKey.CsrfToken]: csrfToken });
		req.session = new node_session_handler_1.Session(newSessionData);
		yield options.sessionStore.store(Cookie_1.Cookie.createFrom(req.cookies[cookieName]), newSessionData);
		res.render = modifiedRender(res, csrfToken);
		else if (!sessionCsrfToken) {
		if (options.createWhenCsrfTokenAbsent !== false) {
		const csrfToken = csrfTokenFactory();
		const newSessionData = Object.assign(Object.assign({}, (req.session.data)), { [SessionKey_1.SessionKey.CsrfToken]: csrfToken });
		req.session = new node_session_handler_1.Session(newSessionData);
		yield options.sessionStore.store(Cookie_1.Cookie.createFrom(req.cookies[cookieName]), newSessionData);
		applyCsrfTokenToLocals(csrfToken);
		}
		else {
		throw new MissingCsrfSessionToken("CSRF token not found in session.");
		}
		}
		else {
		applyCsrfTokenToLocals(sessionCsrfToken);
		}
		return next();
		@@ -85,13 +94,1 @@ }
		};
		const modifiedRender = (res, csrfToken) => {
		const originalRender = res.render;
		originalRender.bind(res);
		const newRender = (view, parametersOrCallback, callback) => {
		if (typeof parametersOrCallback === "object") {
		return originalRender(view, Object.assign(Object.assign({}, parametersOrCallback), { csrfToken: csrfToken }), callback);
		}
		return originalRender(view, parametersOrCallback, callback);
		};
		newRender.bind(res);
		return newRender;
		};

package.json

		{
		"name": "@companieshouse/web-security-node",
		"version": "3.0.2",
		"version": "3.1.0",
		"description": "Middleware for chs authentication",
		@@ -5,0 +5,0 @@ "main": "dist/index.js",

README.md

		@@ -41,2 +41,3 @@ # web-security-node
		app.use(cookieParser());
		app.use(express.urlencoded({ extended: true }));
		const cookieName = '__SID'
		@@ -59,4 +60,9 @@
		}
		app.use(createLoggerMiddleware(config.applicationNamespace));

		// It is important that CSRF Protection follows the Sesion and urlencoded
		// Middlewares, maybe put at end of the middleware chain (before
		// controllers)
		app.use(CsrfProtectionMiddleware(csrfMiddlewareOptions))

		app.use(helmet());
		```
		@@ -72,3 +78,3 @@
		"node_modules/govuk-frontend/components/",
		"node_modules/@companies-house/web-security-node/"
		"node_modules/@companies-house/"
		], nunjucksConfig)
		@@ -128,3 +134,4 @@ ```
		attempt. The middleware expects that all mutable requests contain a token which
		matches a token stored within the CHS session.
		matches a token stored within the CHS session. It will add `csrfToken` to
		locals so that views can reference it as a variable.

		@@ -131,0 +138,0 @@ ##### Parameters

@companieshouse/web-security-node - npm Package Compare versions

Improved metrics

Worsened metrics