@fastify/csrf-protection - npm Package Compare versions

Comparing version 6.2.0 to 6.3.0

index.js

@@ -45,2 +45,7 @@ 'use strict'
   }
+
+  if (sessionPlugin === '@fastify/cookie' && csrfOpts.userInfo) {
+    assert(csrfOpts.hmacKey, 'csrfOpts.hmacKey is required')
+  }
+
   const tokens = new CSRF(csrfOpts)
@@ -47,0 +52,0 @@

package.json

 {
   "name": "@fastify/csrf-protection",
-  "version": "6.2.0",
+  "version": "6.3.0",
   "description": "A plugin for adding CSRF protection to Fastify.",
@@ -46,3 +46,3 @@ "main": "index.js",
     "tap": "^16.0.0",
-    "tsd": "^0.25.0"
+    "tsd": "^0.28.0"
   },
@@ -49,0 +49,0 @@ "pre-commit": [

README.md

@@ -164,2 +164,3 @@ # @fastify/csrf-protection
 This option is needed to protect against cookie tossing.
+The option `csrfOpts.hmacKey` is required if `getUserInfo` has been specified in the module option in combination with using [@fastify/cookie](https://github.com/fastify/fastify-cookie) as sessionPlugin
 
@@ -166,0 +167,0 @@ ### `fastify.csrfProtection(request, reply, next)`

test/user-info.test.js

@@ -20,2 +20,5 @@ 'use strict'
       return userInfoDB[req.body.username]
+    },
+    csrfOpts: {
+      hmacKey: 'foo'
     }
@@ -77,2 +80,5 @@ })
       return req.session.username
+    },
+    csrfOpts: {
+      hmacKey: 'foo'
     }
@@ -127,2 +133,5 @@ })
       return req.session.get('username')
+    },
+    csrfOpts: {
+      hmacKey: 'foo'
     }
@@ -169,1 +178,80 @@ })
 })
+
+test('Validate presence of hmac key with User-Info /1', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    }
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /2', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/cookie'
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /3', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    csrfOpts: {
+      hmacKey: undefined
+    }
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /4', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/cookie',
+    csrfOpts: {
+      hmacKey: undefined
+    }
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /5', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifySecureSession, { key, cookie: { path: '/', secure: false } })
+
+  await t.resolves(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/secure-session'
+  }))
+})
+
+test('Validate presence of hmac key with User-Info /6', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifySecureSession, { key, cookie: { path: '/', secure: false } })
+
+  await t.resolves(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/secure-session',
+    csrfOpts: {
+      hmacKey: 'foo'
+    }
+  }))
+})

types/index.d.ts

@@ -29,5 +29,4 @@ /// <reference types="node" />
   export type GetTokenFn = (req: FastifyRequest) => string | void;
-  
-  export interface FastifyCsrfProtectionOptions {
-    csrfOpts?: CSRFOptions;
+
+  interface FastifyCsrfProtectionOptionsBase {
     cookieKey?: string;
@@ -38,5 +37,25 @@ cookieOpts?: CookieSerializeOptions;
     getToken?: GetTokenFn;
-    sessionPlugin?: '@fastify/cookie' | '@fastify/session' | '@fastify/secure-session';
   }
 
+  interface FastifyCsrfProtectionOptionsFastifyCookie {
+    sessionPlugin?: '@fastify/cookie';
+    csrfOpts: Omit<CSRFOptions, 'hmacKey'> & Required<Pick<CSRFOptions, 'hmacKey'>>;
+  }
+
+  interface FastifyCsrfProtectionOptionsFastifySession {
+    sessionPlugin: '@fastify/session';
+    csrfOpts?: CSRFOptions;
+  }
+
+  interface FastifyCsrfProtectionOptionsFastifySecureSession {
+    sessionPlugin: '@fastify/secure-session';
+    csrfOpts?: CSRFOptions;
+  }
+
+  export type FastifyCsrfProtectionOptions = FastifyCsrfProtectionOptionsBase & (
+    FastifyCsrfProtectionOptionsFastifyCookie |
+    FastifyCsrfProtectionOptionsFastifySession |
+    FastifyCsrfProtectionOptionsFastifySecureSession
+  )
+
   /**
@@ -43,0 +62,0 @@ * @deprecated Use FastifyCsrfProtectionOptions instead

types/index.test-d.ts

@@ -34,11 +34,26 @@ import Fastify from 'fastify'
 
-fastify.register(FastifyCsrfProtection, { csrfOpts: { algorithm: 'sha1' } })
+fastify.register(FastifyCsrfProtection, { csrfOpts: { algorithm: 'sha1', hmacKey: 'hmac' } })
 expectError(fastify.register(FastifyCsrfProtection, { csrfOpts: { algorithm: 1 } }))
 
 fastify.register(FastifySession)
-fastify.register(FastifyCsrfProtection, { getUserInfo(req) {
-  return req.session.get('username')
-}})
+fastify.register(FastifyCsrfProtection, {
+  csrfOpts: {
+    hmacKey: '123'
+  },
+  getUserInfo(req) {
+    return req.session.get('username')
+  }
+})
 expectError(fastify.register(FastifyCsrfProtection, { getUserInfo: 'invalid' }))
 
+fastify.register(FastifyCsrfProtection, { csrfOpts: { hmacKey: 'hmac' }, sessionPlugin: '@fastify/cookie' })
+fastify.register(FastifyCsrfProtection, { csrfOpts: { hmacKey: 'hmac' } })
+expectError(fastify.register(FastifyCsrfProtection, { }))
+expectError(fastify.register(FastifyCsrfProtection, { csrfOpts: { }}))
+expectError(fastify.register(FastifyCsrfProtection, { sessionPlugin: '@fastify/cookie', csrfOpts: { }}))
+fastify.register(FastifyCsrfProtection, { csrfOpts: { }, sessionPlugin: '@fastify/session' })
+fastify.register(FastifyCsrfProtection, { csrfOpts: { }, sessionPlugin: '@fastify/secure-session' })
+fastify.register(FastifyCsrfProtection, { sessionPlugin: '@fastify/session' })
+fastify.register(FastifyCsrfProtection, { sessionPlugin: '@fastify/secure-session' })
+
 expectDeprecated({} as FastifyCsrfOptions)

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

36037

increased by12.77%

Lines of code

747

increased by16.9%

Number of lines in readme file

217

increased by0.46%

No dependency changes