@fastify/csrf-protection
Advanced tools
@fastify/csrf-protection - npm Package Compare versions
Comparing version 4.0.1 to 4.1.0
@@ -41,6 +41,11 @@ /// <reference types="node" /> | ||
| sessionPlugin?: '@fastify/cookie' | '@fastify/session' | '@fastify/secure-session'; | ||
| csrfOpts: CSRFOptions; | ||
| } | ||
| export interface CSRFOptions { | ||
| hmacKey: string; | ||
| } | ||
| declare const fastifyCsrf: FastifyPlugin<FastifyCsrfOptions>; | ||
| export default fastifyCsrf; |
@@ -42,2 +42,7 @@ 'use strict' | ||
| } | ||
| if (sessionPlugin === '@fastify/cookie' && csrfOpts.userInfo) { | ||
| assert(csrfOpts.hmacKey, 'csrfOpts.hmacKey is required') | ||
| } | ||
| const tokens = new CSRF(csrfOpts) | ||
@@ -44,0 +49,0 @@ |
| { | ||
| "name": "@fastify/csrf-protection", | ||
| "version": "4.0.1", | ||
| "version": "4.1.0", | ||
| "description": "A plugin for adding CSRF protection to Fastify.", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -165,2 +165,3 @@ # @fastify/csrf-protection | ||
| This option is needed to protect against cookie tossing. | ||
| The option `csrfOpts.hmacKey` is required if `getUserInfo` has been specified in the module option in combination with using [@fastify/cookie](https://github.com/fastify/fastify-cookie) as sessionPlugin | ||
@@ -167,0 +168,0 @@ ### `fastify.csrfProtection(request, reply, next)` |
@@ -9,2 +9,3 @@ import Fastify from 'fastify' | ||
| await fastify.register(FastifyCsrf) | ||
| fastify.register(FastifyCsrf, { csrfOpts: { hmacKey: 'hmac' } }) | ||
@@ -11,0 +12,0 @@ fastify.route({ |
@@ -20,2 +20,5 @@ 'use strict' | ||
| return userInfoDB[req.body.username] | ||
| }, | ||
| csrfOpts: { | ||
| hmacKey: 'foo' | ||
| } | ||
@@ -77,2 +80,5 @@ }) | ||
| return req.session.username | ||
| }, | ||
| csrfOpts: { | ||
| hmacKey: 'foo' | ||
| } | ||
@@ -127,2 +133,5 @@ }) | ||
| return req.session.get('username') | ||
| }, | ||
| csrfOpts: { | ||
| hmacKey: 'foo' | ||
| } | ||
@@ -169,1 +178,80 @@ }) | ||
| }) | ||
| test('Validate presence of hmac key with User-Info /1', async (t) => { | ||
| const fastify = Fastify() | ||
| await fastify.register(fastifyCookie) | ||
| await t.rejects(fastify.register(fastifyCsrf, { | ||
| getUserInfo (req) { | ||
| return req.session.get('username') | ||
| } | ||
| }), Error('csrfOpts.hmacKey is required')) | ||
| }) | ||
| test('Validate presence of hmac key with User-Info /2', async (t) => { | ||
| const fastify = Fastify() | ||
| await fastify.register(fastifyCookie) | ||
| await t.rejects(fastify.register(fastifyCsrf, { | ||
| getUserInfo (req) { | ||
| return req.session.get('username') | ||
| }, | ||
| sessionPlugin: '@fastify/cookie' | ||
| }), Error('csrfOpts.hmacKey is required')) | ||
| }) | ||
| test('Validate presence of hmac key with User-Info /3', async (t) => { | ||
| const fastify = Fastify() | ||
| await fastify.register(fastifyCookie) | ||
| await t.rejects(fastify.register(fastifyCsrf, { | ||
| getUserInfo (req) { | ||
| return req.session.get('username') | ||
| }, | ||
| csrfOpts: { | ||
| hmacKey: undefined | ||
| } | ||
| }), Error('csrfOpts.hmacKey is required')) | ||
| }) | ||
| test('Validate presence of hmac key with User-Info /4', async (t) => { | ||
| const fastify = Fastify() | ||
| await fastify.register(fastifyCookie) | ||
| await t.rejects(fastify.register(fastifyCsrf, { | ||
| getUserInfo (req) { | ||
| return req.session.get('username') | ||
| }, | ||
| sessionPlugin: '@fastify/cookie', | ||
| csrfOpts: { | ||
| hmacKey: undefined | ||
| } | ||
| }), Error('csrfOpts.hmacKey is required')) | ||
| }) | ||
| test('Validate presence of hmac key with User-Info /5', async (t) => { | ||
| const fastify = Fastify() | ||
| await fastify.register(fastifySecureSession, { key, cookie: { path: '/', secure: false } }) | ||
| await t.resolves(fastify.register(fastifyCsrf, { | ||
| getUserInfo (req) { | ||
| return req.session.get('username') | ||
| }, | ||
| sessionPlugin: '@fastify/secure-session' | ||
| })) | ||
| }) | ||
| test('Validate presence of hmac key with User-Info /6', async (t) => { | ||
| const fastify = Fastify() | ||
| await fastify.register(fastifySecureSession, { key, cookie: { path: '/', secure: false } }) | ||
| await t.resolves(fastify.register(fastifyCsrf, { | ||
| getUserInfo (req) { | ||
| return req.session.get('username') | ||
| }, | ||
| sessionPlugin: '@fastify/secure-session', | ||
| csrfOpts: { | ||
| hmacKey: 'foo' | ||
| } | ||
| })) | ||
| }) |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by9.71%
32910
- Lines of code
- increased by14.95%
646
- Number of lines in readme file
- increased by0.5%
203
- Number of medium supply chain risk alerts
- decreased by-50%
1