@fastify/csrf
Advanced tools
@fastify/csrf - npm Package Compare versions
Comparing version 5.1.0 to 6.0.0
28
index.js
@@ -31,2 +31,13 @@ 'use strict' | ||
| const algorithm = opts.algorithm !== undefined | ||
| ? opts.algorithm | ||
| : 'sha256' | ||
| try { | ||
| crypto | ||
| .createHash(algorithm) | ||
| } catch (err) { | ||
| throw new TypeError('option algorithm must be a supported hash-algorithm') | ||
| } | ||
| const saltLength = opts.saltLength !== undefined | ||
@@ -64,2 +75,3 @@ ? opts.saltLength | ||
| this.algorithm = algorithm | ||
| this.saltLength = saltLength | ||
@@ -93,3 +105,3 @@ this.saltGenerator = saltGenerator(saltLength) | ||
| return this._tokenize(secret, this.saltGenerator(), date, userInfo) | ||
| return this._tokenize(secret, this.saltGenerator(), date, userInfo, this.algorithm) | ||
| } | ||
@@ -192,3 +204,3 @@ | ||
| Tokens.prototype._tokenize = Buffer.isEncoding('base64url') | ||
| ? function _tokenize (secret, salt, date, userInfo) { | ||
| ? function _tokenize (secret, salt, date, userInfo, algorithm) { | ||
| let toHash = '' | ||
@@ -202,3 +214,3 @@ | ||
| toHash += crypto | ||
| .createHash('sha1') | ||
| .createHash(algorithm) | ||
| .update(userInfo) | ||
@@ -212,7 +224,7 @@ .digest('base64url') | ||
| return toHash + '-' + crypto | ||
| .createHash('sha1') | ||
| .createHash(algorithm) | ||
| .update(toHash + '-' + secret, 'ascii') | ||
| .digest('base64url') | ||
| } | ||
| : function _tokenize (secret, salt, date, userInfo) { | ||
| : function _tokenize (secret, salt, date, userInfo, algorithm) { | ||
| let toHash = '' | ||
@@ -226,3 +238,3 @@ | ||
| toHash += crypto | ||
| .createHash('sha1') | ||
| .createHash(algorithm) | ||
| .update(userInfo) | ||
@@ -237,3 +249,3 @@ .digest('base64') | ||
| return toHash + '-' + crypto | ||
| .createHash('sha1') | ||
| .createHash(algorithm) | ||
| .update(toHash + '-' + secret, 'ascii') | ||
@@ -305,3 +317,3 @@ .digest('base64') | ||
| const actual = Buffer.from(token) | ||
| const expected = Buffer.from(this._tokenize(secret, salt, date, userInfo)) | ||
| const expected = Buffer.from(this._tokenize(secret, salt, date, userInfo, this.algorithm)) | ||
@@ -308,0 +320,0 @@ // to avoid the exposure if the provided value has the correct length, we call |
| { | ||
| "name": "@fastify/csrf", | ||
| "description": "primary logic behind csrf tokens", | ||
| "version": "5.1.0", | ||
| "version": "6.0.0", | ||
| "author": "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)", | ||
| "main": "index.js", | ||
| "types": "types/index.d.ts", | ||
| "contributors": [ | ||
@@ -19,31 +21,16 @@ "Douglas Christopher Wilson <doug@somethingdoug.com>", | ||
| "homepage": "https://github.com/fastify/csrf#readme", | ||
| "scripts": { | ||
| "bench": "node benchmark/index.js", | ||
| "lint": "standard", | ||
| "test": "npm run test:unit && npm run test:typescript", | ||
| "test:unit": "tap", | ||
| "test:typescript": "tsd" | ||
| }, | ||
| "devDependencies": { | ||
| "beautify-benchmark": "^0.2.4", | ||
| "benchmark": "^2.1.4", | ||
| "eslint": "^8.0.0", | ||
| "eslint-config-standard": "^17.0.0", | ||
| "eslint-plugin-import": "^2.22.1", | ||
| "eslint-plugin-markdown": "^2.0.0", | ||
| "eslint-plugin-node": "^11.0.0", | ||
| "eslint-plugin-promise": "^6.0.0", | ||
| "mocha": "^10.0.0", | ||
| "nyc": "^15.0.0", | ||
| "tsd": "^0.22.0" | ||
| "standard": "^17.0.0", | ||
| "tap": "^16.3.0", | ||
| "tsd": "^0.24.1" | ||
| }, | ||
| "types": "types/index.d.ts", | ||
| "files": [ | ||
| "LICENSE", | ||
| "README.md", | ||
| "types/index.d.ts", | ||
| "index.js" | ||
| ], | ||
| "scripts": { | ||
| "bench": "node benchmark/index.js", | ||
| "lint": "eslint --plugin markdown --ext js,md .", | ||
| "test": "npm run test:unit && npm run test:types", | ||
| "test:unit": "mocha --trace-deprecation --reporter spec --bail --check-leaks test/", | ||
| "test-ci": "nyc --reporter=text npm run test:unit", | ||
| "test-cov": "nyc --reporter=html --reporter=text npm test:unit", | ||
| "test:types": "tsd" | ||
| }, | ||
| "keywords": [ | ||
@@ -50,0 +37,0 @@ "csrf", |
| # CSRF | ||
| [](https://github.com/fastify/csrf/actions/workflows/ci.yml) | ||
| [](https://www.npmjs.com/package/@fastify/csrf) | ||
| [](https://standardjs.com/) | ||
| Logic behind CSRF token creation and verification. | ||
@@ -21,3 +25,3 @@ | ||
| ```sh | ||
| $ npm install @fastify/csrf | ||
| $ npm i @fastify/csrf | ||
| ``` | ||
@@ -48,2 +52,6 @@ | ||
| ##### algorithm | ||
| The hash-algorithm to generate the token. Defaults to `sha256`. | ||
| ##### saltLength | ||
@@ -50,0 +58,0 @@ |
@@ -42,2 +42,8 @@ interface TokensBase { | ||
| /** | ||
| * The algorithm used to generate the token | ||
| * @default sha256 | ||
| */ | ||
| algorithm?: string; | ||
| /** | ||
| * The string length of the salt | ||
@@ -44,0 +50,0 @@ * |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by123.91%
37895
- Dev dependency count
- decreased by-54.55%
5
- Number of package files
- increased by300%
20
- Lines of code
- increased by166.27%
900
- Number of lines in readme file
- increased by5.33%
158
Worsened metrics
- Number of low supply chain risk alerts
- increased byInfinity%
1
- Number of medium supply chain risk alerts
- increased by50%
3