Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
crumb - npm Package Compare versions
Comparing version 4.0.0 to 4.0.1
@@ -178,5 +178,2 @@ // Load modules | ||
| if (!this._host) { | ||
| return this._host; | ||
| } | ||
| if (host.indexOf('https://') === 0) { | ||
@@ -198,3 +195,3 @@ this._host = this._host.substring(8); | ||
| var host = internals.trimHost(request.connection.info.uri); | ||
| var requestHost = internals.trimHost(request.headers.host); | ||
| var requestHost = request.headers.host; | ||
| this._match = false; | ||
@@ -201,0 +198,0 @@ |
| { | ||
| "name": "crumb", | ||
| "description": "CSRF crumb generation and validation plugin", | ||
| "version": "4.0.0", | ||
| "version": "4.0.1", | ||
| "repository": "git://github.com/hapijs/crumb", | ||
@@ -6,0 +6,0 @@ "bugs": { |
@@ -29,3 +29,3 @@  | ||
| * 'addToViewContext' - whether to automatically add the crumb to view contexts as the given key (defaults to true) | ||
| * 'cookieOptions' - storage options for the cookie containing the crumb, see the [server.state](https://github.com/hapijs/hapi/blob/master/docs/Reference.md#serverstatename-options) documentation of hapi for more information | ||
| * 'cookieOptions' - storage options for the cookie containing the crumb, see the [server.state](http://hapijs.com/api#serverstatename-options) documentation of hapi for more information | ||
| * 'restful' - RESTful mode that validates crumb tokens from "X-CSRF-Token" request header for POST, PUT, PATCH and DELETE server routes. Disables payload/query crumb validation (defaults to false) | ||
@@ -32,0 +32,0 @@ * 'skip' - a function with the signature of function (request reply) {}, which when provided, is called for every request. If the provided function returns true, validation and generation of crumb is skipped (defaults to false) |
@@ -396,3 +396,3 @@ // Load modules | ||
| var headers = {}; | ||
| headers.host = 'http://localhost:80'; | ||
| headers.host = 'localhost:80'; | ||
@@ -447,3 +447,3 @@ server.inject({ method: 'GET', url: '/1', headers: headers }, function (res) { | ||
| server.inject({ method: 'GET', url: '/1', headers: { host: 'https://localhost:443' } }, function (res) { | ||
| server.inject({ method: 'GET', url: '/1', headers: { host: 'localhost:443' } }, function (res) { | ||
@@ -669,2 +669,159 @@ var header = res.headers['set-cookie']; | ||
| }); | ||
| it('validates crumb with X-CSRF-Token header', function (done) { | ||
| var server = new Hapi.Server(); | ||
| server.connection(); | ||
| server.views({ | ||
| path: __dirname + '/templates', | ||
| engines: { | ||
| html: require('handlebars') | ||
| } | ||
| }); | ||
| server.route([ | ||
| { | ||
| method: 'GET', path: '/1', handler: function (request, reply) { | ||
| expect(request.plugins.crumb).to.exist(); | ||
| expect(request.server.plugins.crumb.generate).to.exist(); | ||
| return reply.view('index', { | ||
| title: 'test', | ||
| message: 'hi' | ||
| }); | ||
| } | ||
| }, | ||
| { | ||
| method: 'POST', path: '/2', handler: function (request, reply) { | ||
| expect(request.payload).to.deep.equal({ key: 'value' }); | ||
| return reply('valid'); | ||
| } | ||
| }, | ||
| { | ||
| method: 'POST', path: '/3', config: { payload: { output: 'stream' } }, handler: function (request, reply) { | ||
| return reply('never'); | ||
| } | ||
| }, | ||
| { | ||
| method: 'PUT', path: '/4', handler: function (request, reply) { | ||
| expect(request.payload).to.deep.equal({ key: 'value' }); | ||
| return reply('valid'); | ||
| } | ||
| }, | ||
| { | ||
| method: 'PATCH', path: '/5', handler: function (request, reply) { | ||
| expect(request.payload).to.deep.equal({ key: 'value' }); | ||
| return reply('valid'); | ||
| } | ||
| }, | ||
| { | ||
| method: 'DELETE', path: '/6', handler: function (request, reply) { | ||
| return reply('valid'); | ||
| } | ||
| }, | ||
| { | ||
| method: 'POST', path: '/7', config: { plugins: { crumb: false } }, handler: function (request, reply) { | ||
| expect(request.payload).to.deep.equal({ key: 'value' }); | ||
| return reply('valid'); | ||
| } | ||
| }, | ||
| { | ||
| method: 'POST', path: '/8', config: { plugins: { crumb: { restful: false, source: 'payload' } } }, handler: function (request, reply) { | ||
| expect(request.payload).to.deep.equal({ key: 'value' }); | ||
| return reply('valid'); | ||
| } | ||
| } | ||
| ]); | ||
| server.register({ register: Crumb, options: { restful: true, cookieOptions: { isSecure: true } } }, function (err) { | ||
| expect(err).to.not.exist(); | ||
| server.inject({ method: 'GET', url: '/1' }, function (res) { | ||
| var header = res.headers['set-cookie']; | ||
| expect(header.length).to.equal(1); | ||
| expect(header[0]).to.contain('Secure'); | ||
| var cookie = header[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/); | ||
| var validHeader = {}; | ||
| validHeader.cookie = 'crumb=' + cookie[1]; | ||
| validHeader['x-csrf-token'] = cookie[1]; | ||
| var invalidHeader = {}; | ||
| invalidHeader.cookie = 'crumb=' + cookie[1]; | ||
| invalidHeader['x-csrf-token'] = 'x' + cookie[1]; | ||
| expect(res.result).to.equal('<!DOCTYPE html><html><head><title>test</title></head><body><div><h1>hi</h1><h2>' + cookie[1] + '</h2></div></body></html>'); | ||
| server.inject({ method: 'POST', url: '/2', payload: '{ "key": "value" }', headers: validHeader }, function (res) { | ||
| expect(res.result).to.equal('valid'); | ||
| server.inject({ method: 'POST', url: '/2', payload: '{ "key": "value" }', headers: invalidHeader }, function (res) { | ||
| expect(res.statusCode).to.equal(403); | ||
| server.inject({ method: 'POST', url: '/3', headers: { cookie: 'crumb=' + cookie[1] } }, function (res) { | ||
| expect(res.statusCode).to.equal(403); | ||
| server.inject({ method: 'PUT', url: '/4', payload: '{ "key": "value" }', headers: validHeader }, function (res) { | ||
| expect(res.result).to.equal('valid'); | ||
| server.inject({ method: 'PUT', url: '/4', payload: '{ "key": "value" }', headers: invalidHeader }, function (res) { | ||
| expect(res.statusCode).to.equal(403); | ||
| server.inject({ method: 'PATCH', url: '/5', payload: '{ "key": "value" }', headers: validHeader }, function (res) { | ||
| expect(res.result).to.equal('valid'); | ||
| server.inject({ method: 'PATCH', url: '/5', payload: '{ "key": "value" }', headers: invalidHeader }, function (res) { | ||
| expect(res.statusCode).to.equal(403); | ||
| server.inject({ method: 'DELETE', url: '/6', headers: validHeader }, function (res) { | ||
| expect(res.result).to.equal('valid'); | ||
| server.inject({ method: 'DELETE', url: '/6', headers: invalidHeader }, function (res) { | ||
| expect(res.statusCode).to.equal(403); | ||
| server.inject({ method: 'POST', url: '/7', payload: '{ "key": "value" }' }, function (res) { | ||
| expect(res.result).to.equal('valid'); | ||
| var payload = { key: 'value', crumb: cookie[1] }; | ||
| delete validHeader['x-csrf-token']; | ||
| server.inject({ method: 'POST', url: '/8', payload: JSON.stringify(payload), headers: validHeader }, function (res) { | ||
| expect(res.result).to.equal('valid'); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| }); |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
- decreased by-0.41%
114370
- Number of package files
- decreased by-5.56%
17
- Lines of code
- decreased by-1.96%
850
No dependency changes