Security News
Bun 1.2 Released with 90% Node.js Compatibility and Built-in S3 Object Support
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.
@fastify/csrf
Advanced tools
Logic behind CSRF token creation and verification.
Read Understanding-CSRF for more information on CSRF. Use this module to create custom CSRF middleware.
Looking for a CSRF framework for your favorite framework that uses this module?
This module is a fork of https://github.com/pillarjs/csrf at f0d66c91ea4be6d30a03bd311ed9518951d9c3e4.
$ npm i @fastify/csrf
This module includes a TypeScript declaration file to enable auto-complete in compatible editors and type information for TypeScript projects.
const Tokens = require('@fastify/csrf')
Create a new token generation/verification instance. The options
argument is
optional and will just use all defaults if missing.
Tokens accept these properties in the options object.
The hash-algorithm to generate the token. Defaults to sha256
.
The length of the internal salt to use, in characters. Internally, the salt
is a base 62 string. Defaults to 8
characters.
The length of the secret to generate, in bytes. Note that the secret is
passed around base-64 encoded and that this length refers to the underlying
bytes, not the length of the base-64 string. Defaults to 18
bytes.
Require user-specific information in tokens.create()
and
tokens.verify()
.
When set, the hmacKey
is used to generate the cryptographic HMAC hash instead of the default hash function.
The maximum validity of the token to generate, in milliseconds. Note that the epoch is
passed around base-36 encoded. Defaults to 0
milliseconds (disabled).
Create a new CSRF token attached to the given secret
. The secret
is a
string, typically generated from the tokens.secret()
or tokens.secretSync()
methods. This token is what you should add into HTML <form>
blocks and
expect the user's browser to provide back.
const secret = tokens.secretSync()
const token = tokens.create(secret)
The userInfo
parameter can be used to protect against cookie tossing
attacks (and similar) when the application is deployed with untrusted
subdomains. It will encode some user-specific information within the
token. It is used only if userInfo: true
is passed to the
constructor.
Asynchronously create a new secret
, which is a string. The secret is to
be kept on the server, typically stored in a server-side session for the
user. The secret should be at least per user.
tokens.secret(function (err, secret) {
if (err) throw err
// Do something with the secret
})
Asynchronously create a new secret
and return a Promise
. Please see
tokens.secret(callback)
documentation for full details.
Note: To use promises in Node.js prior to 0.12, promises must be
"polyfilled" using global.Promise = require('bluebird')
.
tokens.secret().then(function (secret) {
// Do something with the secret
})
A synchronous version of tokens.secret(callback)
. Please see
tokens.secret(callback)
documentation for full details.
const secret = tokens.secretSync()
Check whether a CSRF token is valid for the given secret
, returning
a Boolean.
if (!tokens.verify(secret, token)) {
throw new Error('invalid token!')
}
The userInfo
parameter is required if userInfo: true
was configured
during initialization. The user-specific information must match what was
passed in tokens.create()
.
Licensed under MIT.
FAQs
primary logic behind csrf tokens
The npm package @fastify/csrf receives a total of 19,261 weekly downloads. As such, @fastify/csrf popularity was classified as popular.
We found that @fastify/csrf demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 19 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.
Security News
Biden's executive order pushes for AI-driven cybersecurity, software supply chain transparency, and stronger protections for federal and open source systems.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.