Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
@otterhttp/csrf-csrf
Advanced tools
@otterhttp/csrf-csrf - npm Package Compare versions
Comparing version 2.0.0 to 3.0.0
@@ -6,29 +6,19 @@ import { IncomingMessage, ServerResponse } from 'node:http'; | ||
| type NextFunction = () => unknown; | ||
| type Cookie = { | ||
| value: string; | ||
| }; | ||
| type CSRFRequest = IncomingMessage & { | ||
| signedCookies?: Record<string, unknown>; | ||
| cookies?: Record<string, unknown>; | ||
| cookies: Record<string, Cookie>; | ||
| }; | ||
| type Response = ServerResponse; | ||
| type CookieSigningOptions = { | ||
| signed: true; | ||
| getSigningSecret: CsrfSecretRetriever; | ||
| } | { | ||
| signed?: false | undefined; | ||
| getSigningSecret?: undefined; | ||
| type CSRFResponse = ServerResponse & { | ||
| cookie: (name: string, value: string, options?: SerializeOptions) => unknown; | ||
| }; | ||
| type ResolvedCookieSigningOptions = { | ||
| signed: true; | ||
| getSigningSecret: CsrfSecretRetriever; | ||
| } | { | ||
| signed: false; | ||
| getSigningSecret: undefined; | ||
| }; | ||
| type ExtraCookieOptions = { | ||
| name?: string; | ||
| }; | ||
| type CSRFCookieOptions = SerializeOptions & CookieSigningOptions & ExtraCookieOptions; | ||
| type ResolvedCSRFCookieOptions = SerializeOptions & ResolvedCookieSigningOptions & Required<ExtraCookieOptions>; | ||
| type CSRFCookieOptions = SerializeOptions & ExtraCookieOptions; | ||
| type ResolvedCSRFCookieOptions = SerializeOptions & Required<ExtraCookieOptions>; | ||
| type TokenRetriever = (req: CSRFRequest) => string | null | undefined; | ||
| type CsrfSecretRetriever = (req?: CSRFRequest) => string | Array<string>; | ||
| type doubleCsrfProtection = (req: CSRFRequest, res: Response, next: NextFunction) => void; | ||
| type doubleCsrfProtection = (req: CSRFRequest, res: CSRFResponse, next: NextFunction) => void; | ||
| type RequestMethod = "GET" | "HEAD" | "PATCH" | "PUT" | "POST" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE"; | ||
@@ -42,4 +32,4 @@ type CsrfIgnoredMethods = Array<RequestMethod>; | ||
| }) => boolean; | ||
| type CsrfCookieSetter = (res: Response, name: string, value: string, options: CSRFCookieOptions) => void; | ||
| type CsrfTokenCreator = (req: CSRFRequest, res: Response, options?: GenerateCsrfTokenOptions) => string; | ||
| type CsrfCookieSetter = (res: CSRFResponse, name: string, value: string, options: CSRFCookieOptions) => void; | ||
| type CsrfTokenCreator = (req: CSRFRequest, res: CSRFResponse, options?: GenerateCsrfTokenOptions) => string; | ||
| type CsrfErrorConfig = { | ||
@@ -77,2 +67,2 @@ statusCode: keyof typeof statusMessages; | ||
| export { type CSRFCookieOptions, type CSRFRequest, type CsrfCookieSetter, type CsrfErrorConfig, type CsrfErrorConfigOptions, type CsrfIgnoredMethods, type CsrfRequestValidator, type CsrfSecretRetriever, type CsrfTokenAndHashPairValidator, type CsrfTokenCreator, type DoubleCsrfConfig, type DoubleCsrfUtilities, type GenerateCsrfTokenConfig, type GenerateCsrfTokenOptions, type RequestMethod, type ResolvedCSRFCookieOptions, type Response, type TokenRetriever, doubleCsrf, type doubleCsrfProtection }; | ||
| export { type CSRFCookieOptions, type CSRFRequest, type CSRFResponse, type CsrfCookieSetter, type CsrfErrorConfig, type CsrfErrorConfigOptions, type CsrfIgnoredMethods, type CsrfRequestValidator, type CsrfSecretRetriever, type CsrfTokenAndHashPairValidator, type CsrfTokenCreator, type DoubleCsrfConfig, type DoubleCsrfUtilities, type GenerateCsrfTokenConfig, type GenerateCsrfTokenOptions, type RequestMethod, type ResolvedCSRFCookieOptions, type TokenRetriever, doubleCsrf, type doubleCsrfProtection }; |
| // src/index.ts | ||
| import { createHmac, randomBytes } from "crypto"; | ||
| import { serialize } from "@otterhttp/cookie"; | ||
| import { sign } from "@otterhttp/cookie-signature"; | ||
| import { ClientError } from "@otterhttp/errors"; | ||
| function setSecretCookie(req, res, secret, { signed, getSigningSecret, name, ...options }) { | ||
| if (!signed) { | ||
| setCookie(res, name, secret, options); | ||
| return; | ||
| } | ||
| let signingSecret = getSigningSecret(req); | ||
| if (Array.isArray(signingSecret)) signingSecret = signingSecret[0]; | ||
| const value = `s:${sign(secret, signingSecret)}`; | ||
| setCookie(res, name, value, options); | ||
| function setSecretCookie(req, res, secret, { name, ...options }) { | ||
| res.cookie(name, secret, options); | ||
| } | ||
| function setCookie(res, name, value, options) { | ||
| const data = serialize(name, value, options); | ||
| res.appendHeader("set-cookie", data); | ||
| } | ||
| function doubleCsrf({ | ||
@@ -55,4 +42,4 @@ getSecret, | ||
| const csrfCookie = getCsrfCookieFromRequest(req); | ||
| if (typeof csrfCookie === "string" && !overwrite) { | ||
| const [csrfToken2, csrfTokenHash2] = csrfCookie.split(delimiter); | ||
| if (typeof csrfCookie === "object" && !overwrite) { | ||
| const [csrfToken2, csrfTokenHash2] = csrfCookie.value.split(delimiter); | ||
| if (validateTokenAndHashPair(req, { | ||
@@ -83,7 +70,4 @@ incomingToken: csrfToken2, | ||
| }; | ||
| const getCsrfCookieFromRequest = defaultCookieOptions.signed ? (req) => { | ||
| const getCsrfCookieFromRequest = (req) => { | ||
| var _a; | ||
| return (_a = req.signedCookies) == null ? void 0 : _a[defaultCookieOptions.name]; | ||
| } : (req) => { | ||
| var _a; | ||
| return (_a = req.cookies) == null ? void 0 : _a[defaultCookieOptions.name]; | ||
@@ -101,4 +85,4 @@ }; | ||
| const csrfCookie = getCsrfCookieFromRequest(req); | ||
| if (typeof csrfCookie !== "string") return false; | ||
| const [csrfTokenFromCookie, csrfTokenHash] = csrfCookie.split(delimiter); | ||
| if (typeof csrfCookie !== "object") return false; | ||
| const [csrfTokenFromCookie, csrfTokenHash] = csrfCookie.value.split(delimiter); | ||
| const csrfTokenFromRequest = getTokenFromRequest(req); | ||
@@ -105,0 +89,0 @@ const getSecretResult = getSecret(req); |
@@ -46,3 +46,4 @@ { | ||
| "@biomejs/biome": "^1.8.3", | ||
| "@tinyhttp/cookie-parser": "^2.0.6", | ||
| "@otterhttp/cookie-signature": "^3.0.0", | ||
| "@otterhttp/request": "^3.1.1", | ||
| "@types/node": "^20.14.10", | ||
@@ -58,3 +59,2 @@ "@vitest/coverage-istanbul": "^2.0.3", | ||
| "@otterhttp/cookie": "^3.0.0", | ||
| "@otterhttp/cookie-signature": "^3.0.0", | ||
| "@otterhttp/errors": "^0.2.0" | ||
@@ -66,3 +66,3 @@ }, | ||
| "packageManager": "pnpm@9.5.0", | ||
| "version": "2.0.0" | ||
| "version": "3.0.0" | ||
| } |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Dependency count
- decreased by-33.33%
2
Worsened metrics
- Total package byte prevSize
- decreased by-4.5%
40731
- Dev dependency count
- increased by11.11%
10
- Lines of code
- decreased by-11.93%
310
Dependency changes
- Removed@otterhttp/cookie-signature@^3.0.0
- Removed@otterhttp/cookie-signature@3.0.0(transitive)