Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

crumb

Package Overview
Dependencies
Maintainers
5
Versions
46
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

crumb - npm Package Compare versions

Comparing version 6.0.3 to 7.0.0

example/package.json
test/fixtures/cert.json
test/fixtures/stream.js
test/fixtures/views.js

68

example/restful.js
'use strict';
const Hapi = require('hapi');
const Vision = require('vision');
const server = new Hapi.Server();
server.connection({ host: '127.0.0.1', port: 8000 });
const server = new Hapi.Server({
host: '127.0.0.1',
port: 8000
});
const plugins = [
Vision,
{
plugin: require('../'),
options: {
restful: true
}
}
];
// Add Crumb plugin
server.register({ register: require('../'), options: { restful: true } }, (err) => {
(async () => {
if (err) {
throw err;
}
});
await server.register(plugins);
server.route([
server.route([
// a "crumb" cookie should be set with any request
// for cross-origin requests, set CORS "credentials" to true
// a route returning the crumb can be created like this
// a "crumb" cookie should be set with any request
// for cross-origin requests, set CORS "credentials" to true
// a route returning the crumb can be created like this
{
method: 'GET',
path: '/generate',
handler: function (request, reply) {
{
method: 'GET',
path: '/generate',
handler: function (request, h) {
return reply({ crumb: server.plugins.crumb.generate(request, reply) });
}
},
return {
crumb: server.plugins.crumb.generate(request, h)
};
}
},
// request header "X-CSRF-Token" with crumb value must be set in request for this route
// request header "X-CSRF-Token" with crumb value must be set in request for this route
{
method: 'PUT',
path: '/crumbed',
handler: function (request, reply) {
{
method: 'PUT',
path: '/crumbed',
handler: function (request, h) {
return reply('Crumb route');
return 'Crumb route';
}
}
}
]);
]);
server.start(() => {
await server.start();
console.log('Example restful server running at:', server.info.uri);
});
})();

69

example/server.js
'use strict';
const Hapi = require('hapi');
const Vision = require('vision');
const server = new Hapi.Server();
server.connection({ host: '127.0.0.1', port: 8000 });
const server = new Hapi.Server({
host: '127.0.0.1',
port: 8000
});
server.views({
path: __dirname + '/templates',
engines: {
html: require('handlebars')
const plugins = [
Vision,
{
plugin: require('../'),
options: {
cookieOptions: {
isSecure: false
}
}
}
});
];
server.register({ register: require('../'), options: { cookieOptions: { isSecure: false } } }, (err) => {
(async () => {
if (err) {
throw err;
}
});
await server.register(plugins);
server.route({
method: 'get',
path: '/',
handler: function (request, reply) {
server.views({
relativeTo: __dirname,
path: 'templates',
engines: {
html: require('handlebars')
}
});
return reply.view('index', { title: 'test', message: 'hi' });
}
});
server.route({
method: 'get',
path: '/',
handler: function (request, h) {
server.route({
method: 'post',
path: '/',
handler: function (request, reply) {
return h.view('index', { title: 'test', message: 'hi' });
}
});
return reply.view('message', { title: 'test', message: request.payload.message });
}
});
server.route({
method: 'post',
path: '/',
handler: function (request, h) {
server.start(() => {
return h.view('message', { title: 'test', message: request.payload.message });
}
});
await server.start();
console.log('Example server running at:', server.info.uri);
});
})();

47

lib/index.js

@@ -40,10 +40,6 @@ 'use strict';

const register = (server, options) => {
exports.register = function (server, options, next) {
Joi.assert(options, internals.schema);
const validateOptions = internals.schema.validate(options);
if (validateOptions.error) {
return next(validateOptions.error);
}
const settings = Hoek.applyToDefaults(internals.defaults, options);

@@ -59,8 +55,8 @@

server.ext('onPostAuth', (request, reply) => {
server.ext('onPostAuth', (request, h) => {
// If skip function enabled. Call it and if returns true, do not attempt to do anything with crumb.
if (settings.skip && settings.skip(request, reply)) {
return reply.continue();
if (settings.skip && settings.skip(request, h)) {
return h.continue;
}

@@ -87,3 +83,3 @@

generate(request, reply);
generate(request, h);
}

@@ -102,3 +98,3 @@

return reply.continue();
return h.continue;
}

@@ -109,7 +105,7 @@

return reply(Boom.forbidden());
throw Boom.forbidden();
}
if (content[request.route.settings.plugins._crumb.key] !== request.plugins.crumb) {
return reply(Boom.forbidden());
throw Boom.forbidden();
}

@@ -125,3 +121,3 @@

return reply.continue();
return h.continue;
}

@@ -132,7 +128,7 @@

if (!header) {
return reply(Boom.forbidden());
throw Boom.forbidden();
}
if (header !== request.plugins.crumb) {
return reply(Boom.forbidden());
throw Boom.forbidden();
}

@@ -142,6 +138,6 @@

return reply.continue();
return h.continue;
});
server.ext('onPreResponse', (request, reply) => {
server.ext('onPreResponse', (request, h) => {

@@ -162,3 +158,3 @@ // Add to view context

return reply.continue();
return h.continue;
});

@@ -174,3 +170,3 @@

const generate = function (request, reply) {
const generate = function (request, h) {

@@ -180,3 +176,3 @@ let crumb = request.state[settings.key];

crumb = Cryptiles.randomString(settings.size);
reply.state(settings.key, crumb, settings.cookieOptions);
h.state(settings.key, crumb, settings.cookieOptions);
}

@@ -188,9 +184,8 @@

server.expose({ generate: generate });
return next();
server.expose({ generate });
};
exports.register.attributes = {
pkg: require('../package.json')
exports.plugin = {
pkg: require('../package.json'),
register
};

24

package.json
{
"name": "crumb",
"description": "CSRF crumb generation and validation plugin",
"version": "6.0.3",
"version": "7.0.0",
"repository": "git://github.com/hapijs/crumb",

@@ -18,19 +18,19 @@ "bugs": {

"engines": {
"node": ">=4.0.0"
"node": ">=8.0.0"
},
"dependencies": {
"boom": "3.x.x",
"cryptiles": "3.x.x",
"hoek": "4.x.x",
"joi": "8.x.x"
"boom": "7.x.x",
"cryptiles": "4.x.x",
"hoek": "5.x.x",
"joi": "13.x.x"
},
"peerDependencies": {
"hapi": ">=12.x.x"
"hapi": ">=17.x.x"
},
"devDependencies": {
"code": "2.x.x",
"handlebars": "^4.0.5",
"hapi": "13.x.x",
"lab": "10.x.x",
"vision": "^4.0.0"
"code": "^5.1.2",
"handlebars": "4.x.x",
"hapi": "17.x.x",
"lab": "15.x.x",
"vision": "5.x.x"
},

@@ -37,0 +37,0 @@ "scripts": {

75

README.md

@@ -7,11 +7,12 @@ ![crumb Logo](https://raw.github.com/hapijs/crumb/master/images/crumb.png)

Lead Maintainer: [Marcus Stong](https://github.com/stongo)
Lead Maintainer: [Jonathan Samines](https://github.com/jonathansamines)
## What to Use Crumb for and When to Use It
## About CSRF
### What to Use Crumb for and When to Use It
Crumb is used to diminish CSRF attacks using a random unique token that is validated on the server side.
Crumb may be used whenever you want to prevent malicious code to execute system commands, that are performed by HTTP requests. For example, if users are able to publish code on your website, malicious code added by a user could force every other user who opens the page, to load and execute code from a third party website e.g. via an HTML image tag. With Crumb implemented into your hapi.js application, you are able to verify requests with unique tokens and prevent the execution of malicious requests.
Crumb may be used whenever you want to prevent malicious code to execute system commands, that are performed by HTTP requests. For example, if users are able to publish code on your website, malicious code added by a user could force every other user who opens the page, to load and execute code from a third party website e.g. via an HTML image tag. With Crumb implemented into your hapi.js application, you are able to verify requests with unique tokens and prevent the execution of malicious requests.
## CORS
### CORS

@@ -23,19 +24,59 @@ Crumb has been refactored to securely work with CORS, as [OWASP](https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing) recommends using CSRF protection with CORS.

## Usage
## Plugin Options
```js
const Hapi = require('hapi');
const Crumb = require('crumb');
The following options are available when registering the plugin
const server = new Hapi.Server({
port: 8000
});
* 'key' - the name of the cookie to store the csrf crumb in (defaults to 'crumb')
* 'size' - the length of the crumb to generate (defaults to 43, which is 256 bits, see [cryptile](https://github.com/hueniverse/cryptiles) for more information)
* 'autoGenerate' - whether to automatically generate a new crumb for requests (defaults to true)
* 'addToViewContext' - whether to automatically add the crumb to view contexts as the given key (defaults to true)
* 'cookieOptions' - storage options for the cookie containing the crumb, see the [server.state](http://hapijs.com/api#serverstatename-options) documentation of hapi for more information
* 'restful' - RESTful mode that validates crumb tokens from "X-CSRF-Token" request header for POST, PUT, PATCH and DELETE server routes. Disables payload/query crumb validation (defaults to false)
* 'skip' - a function with the signature of `function (request, reply) {}`, which when provided, is called for every request. If the provided function returns true, validation and generation of crumb is skipped (defaults to false)
(async () => {
await server.register({
plugin: Crumb,
Additionally, some configuration can be passed on a per-route basis
// plugin options
options: {}
});
* 'key' - the key used in the view contexts and payloads for the crumb (defaults to whatever the key value in the main settings is)
* 'source' - can be either 'payload' or 'query' specifying how the crumb will be sent in requests (defaults to payload)
* 'restful' - an override for the server's 'restful' setting (defaults to match server setting)
server.route({
path: '/login',
method: 'GET',
options: {
plugins: {
// route specific options
crumb: {}
},
handler(request, h) {
// this requires to have a view engine configured
return h.view('some-view');
}
}
});
})();
```
For a complete example see [the examples folder](./example).
## Options
The following options are available when registering the plugin.
### Registration options
* `key` - the name of the cookie to store the csrf crumb into. Defaults to `crumb`.
* `size` - the length of the crumb to generate. Defaults to `43`, which is 256 bits, see [cryptile](https://github.com/hapijs/cryptiles) for more information.
* `autoGenerate` - whether to automatically generate a new crumb for requests. Defaults to `true`.
* `addToViewContext` - whether to automatically add the crumb to view contexts as the given key. Defaults to `true`.
* `cookieOptions` - storage options for the cookie containing the crumb, see the [server.state](http://hapijs.com/api#serverstatename-options) documentation of hapi for more information. Default to `cookieOptions.path=/`
* `restful` - RESTful mode that validates crumb tokens from *"X-CSRF-Token"* request header for **POST**, **PUT**, **PATCH** and **DELETE** server routes. Disables payload/query crumb validation. Defaults to `false`.
* `skip` - a function with the signature of `function (request, h) {}`, which when provided, is called for every request. If the provided function returns true, validation and generation of crumb is skipped. Defaults to `false`.
### Routes configuration
Additionally, some configuration can be passed on a per-route basis. Disable Crumb for a particular route by passing `false` instead of a configuration object.
* `key` - the key used in the view contexts and payloads for the crumb. Defaults to `plugin.key`.
* `source` - can be either `payload` or `query` specifying how the crumb will be sent in requests. Defaults to `payload`.
* `restful` - an override for the server's 'restful' setting. Defaults to `plugin.restful`.

8

SECURITY.md
# Reporting a security bug
All security bugs are taken seriously and should be reported by email to stongo@gmail.com.
All security bugs are taken seriously and should be reported by email to [security@hapijs.com]((mailto:security@hapijs.com)).

@@ -10,4 +10,4 @@ Your email will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.

- Email [Marcus Stong](mailto:stongo@gmail.com)
- Give the hapi contributors a heads up on IRC in #hapi on irc.freenode.net
- Email [hapi Security](mailto:security@hapijs.com)
- Give the hapi contributors a heads at one of the locations under https://hapijs.com/community

@@ -29,3 +29,3 @@ Thank you for taking the time to disclose the issue to us. Your efforts and responsible disclosure are greatly appreciated!

# Comments on this Policy
Can you help make this policy / process better? Please email stongo@gmail.com with your comments.
Can you help make this policy / process better? Please email security@hapijs.com with your comments.

@@ -32,0 +32,0 @@ # History

920

test/index.js
'use strict';
// Load modules
/*eslint "hapi/no-shadow-relaxed": 0*/
const Stream = require('stream');
const Code = require('code');

@@ -10,3 +9,5 @@ const Crumb = require('../');

const Lab = require('lab');
const Hoek = require('hoek');
const TestStream = require('./fixtures/stream');
const TLSCert = require('./fixtures/cert');
const Views = require('./fixtures/views');

@@ -21,26 +22,25 @@

const lab = exports.lab = Lab.script();
const describe = lab.describe;
const it = lab.it;
const expect = Code.expect;
const { describe, it } = exports.lab = Lab.script();
const { expect } = Code;
const Vision = require('vision');
internals.viewOptions = {
path: __dirname + '/templates',
engines: {
html: require('handlebars')
}
};
describe('Crumb', () => {
it('returns view with crumb', (done) => {
it('returns view with crumb', async () => {
const server = new Hapi.Server();
server.connection();
const viewOptions = {
path: __dirname + '/templates',
engines: {
html: require('handlebars')
}
};
server.route([
{
method: 'GET', path: '/1', handler: (request, reply) => {
method: 'GET',
path: '/1',
handler: (request, h) => {

@@ -50,3 +50,3 @@ expect(request.plugins.crumb).to.exist();

return reply.view('index', {
return h.view('index', {
title: 'test',

@@ -58,18 +58,31 @@ message: 'hi'

{
method: 'POST', path: '/2', handler: (request, reply) => {
method: 'POST',
path: '/2',
handler: (request, h) => {
expect(request.payload).to.deep.equal({ key: 'value' });
return reply('valid');
expect(request.payload).to.equal({ key: 'value' });
return 'valid';
}
},
{
method: 'POST', path: '/3', config: { payload: { output: 'stream' } }, handler: (request, reply) => {
return reply('never');
}
method: 'POST',
path: '/3',
options: {
payload: {
output: 'stream'
}
},
handler: (request, h) => 'never'
},
{
method: 'GET', path: '/4', config: { plugins: { crumb: false } }, handler: (request, reply) => {
method: 'GET',
path: '/4',
options: {
plugins: {
crumb: false
}
},
handler: (request, h) => {
return reply.view('index', {
return h.view('index', {
title: 'test',

@@ -81,17 +94,31 @@ message: 'hi'

{
method: 'POST', path: '/5', config: { payload: { output: 'stream' } }, handler: (request, reply) => {
return reply('yo');
}
method: 'POST',
path: '/5',
options: {
payload: {
output: 'stream'
}
},
handler: (request, h) => 'yo'
},
{
method: 'GET', path: '/6', handler: (request, reply) => {
return reply.view('index');
}
method: 'GET',
path: '/6',
handler: (request, h) => h.view('index')
},
{
method: 'GET', path: '/7', handler: (request, reply) => {
method: 'GET',
path: '/7',
handler: (request, h) => h.redirect('/1')
}
]);
return reply(null).redirect('/1');
await server.register([
Vision,
{
plugin: Crumb,
options: {
cookieOptions: {
isSecure: true
}
}

@@ -101,109 +128,124 @@ }

server.register([{ register: Vision }, { register: Crumb, options: { cookieOptions: { isSecure: true } } }], (err) => {
server.views(internals.viewOptions);
expect(err).to.not.exist();
// Works with get requests
const res = await server.inject({
method: 'GET',
url: '/1'
});
server.views(viewOptions);
expect(res.statusCode).to.equal(200);
server.inject({ method: 'GET', url: '/1' }, (res) => {
const header = res.headers['set-cookie'];
expect(res.statusCode).to.equal(200);
const header = res.headers['set-cookie'];
expect(header.length).to.equal(1);
expect(header[0]).to.contain('Secure');
expect(header.length).to.equal(1);
expect(header[0]).to.contain('Secure');
const cookie = header[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
expect(res.result).to.equal('<!DOCTYPE html><html><head><title>test</title></head><body><div><h1>hi</h1><h2>' + cookie[1] + '</h2></div></body></html>');
const cookie = header[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
server.inject({ method: 'POST', url: '/2', payload: '{ "key": "value", "crumb": "' + cookie[1] + '" }', headers: { cookie: 'crumb=' + cookie[1] } }, (res2) => {
expect(res.result).to.equal(Views.viewWithCrumb(cookie[1]));
expect(res2.result).to.equal('valid');
// Works with crumb on POST body request
const res2 = await server.inject({
method: 'POST',
url: '/2',
payload: '{ "key": "value", "crumb": "' + cookie[1] + '" }',
headers: {
cookie: 'crumb=' + cookie[1]
}
});
server.inject({ method: 'POST', url: '/2', payload: '{ "key": "value", "crumb": "x' + cookie[1] + '" }', headers: { cookie: 'crumb=' + cookie[1] } }, (res3) => {
expect(res2.result).to.equal('valid');
expect(res3.statusCode).to.equal(403);
// Rejects on invalid crumb on POST body request
const res3 = await server.inject({
method: 'POST',
url: '/2',
payload: '{ "key": "value", "crumb": "x' + cookie[1] + '" }',
headers: {
cookie: 'crumb=' + cookie[1]
}
});
server.inject({ method: 'POST', url: '/3', headers: { cookie: 'crumb=' + cookie[1] } }, (res4) => {
expect(res3.statusCode).to.equal(403);
expect(res4.statusCode).to.equal(403);
// Rejects on missing crumb on POST stream body requests
const res4 = await server.inject({
method: 'POST',
url: '/3',
headers: {
cookie: 'crumb=' + cookie[1]
}
});
server.inject({ method: 'GET', url: '/4' }, (res5) => {
expect(res4.statusCode).to.equal(403);
expect(res5.result).to.equal('<!DOCTYPE html><html><head><title>test</title></head><body><div><h1>hi</h1><h2></h2></div></body></html>');
// Works with crumb generation disabled
const res5 = await server.inject({
method: 'GET',
url: '/4'
});
const TestStream = function (opt) {
expect(res5.result).to.equal(Views.viewWithoutCrumb());
Stream.Readable.call(this, opt);
this._max = 2;
this._index = 1;
};
// Works on POST stream requests
const res6 = await server.inject({
method: 'POST',
url: '/5',
payload: new TestStream(),
headers: {
'content-type': 'application/octet-stream',
'content-disposition': 'attachment; filename="test.txt"'
},
simulate: {
end: true
}
});
Hoek.inherits(TestStream, Stream.Readable);
expect(res6.statusCode).to.equal(403);
TestStream.prototype._read = function () {
// Works with get requests with no context
const res7 = await server.inject({
method: 'GET',
url: '/6'
});
const i = this._index++;
if (i > this._max) {
this.push(null);
}
else {
const str = '' + i;
const buf = new Buffer(str, 'ascii');
this.push(buf);
}
};
const header2 = res7.headers['set-cookie'];
expect(header2.length).to.equal(1);
expect(header2[0]).to.contain('Secure');
server.inject({ method: 'POST', url: '/5', payload: new TestStream(), headers: { 'content-type': 'application/octet-stream', 'content-disposition': 'attachment; filename="test.txt"' }, simulate: { end: true } }, (res6) => {
const cookie2 = header2[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
expect(res7.result).to.equal(Views.viewWithCrumbAndNoContext(cookie2[1]));
expect(res6.statusCode).to.equal(403);
// Works with redirections
const res8 = await server.inject({
method: 'GET',
url: '/7'
});
server.inject({ method: 'GET', url: '/6' }, (res7) => {
const cookie3 = res8.headers['set-cookie'].toString();
expect(cookie3).to.contain('crumb');
const header2 = res7.headers['set-cookie'];
expect(header2.length).to.equal(1);
expect(header2[0]).to.contain('Secure');
const headers = {};
headers.origin = 'http://127.0.0.1';
const cookie2 = header2[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
expect(res7.result).to.equal('<!DOCTYPE html><html><head><title></title></head><body><div><h1></h1><h2>' + cookie2[1] + '</h2></div></body></html>');
// Works with cross-origin enabled requests
const res9 = await server.inject({
method: 'GET',
url: '/1',
headers
});
server.inject({ method: 'GET', url: '/7' }, (res8) => {
const cookie3 = res8.headers['set-cookie'].toString();
expect(cookie3).to.contain('crumb');
const headers = {};
headers.origin = 'http://127.0.0.1';
server.inject({ method: 'GET', url: '/1', headers: headers }, (res9) => {
const cookie4 = res9.headers['set-cookie'].toString();
expect(cookie4).to.contain('crumb');
done();
});
});
});
});
});
});
});
});
});
});
const cookie4 = res9.headers['set-cookie'].toString();
expect(cookie4).to.contain('crumb');
});
it('Does not add crumb to view context when "addToViewContext" option set to false', (done) => {
it('Does not add crumb to view context when "addToViewContext" option set to false', async () => {
const server = new Hapi.Server();
server.connection();
const viewOptions = {
path: __dirname + '/templates',
engines: {
html: require('handlebars')
}
};
server.route({
method: 'GET', path: '/1', handler: (request, reply) => {
method: 'GET',
path: '/1',
handler: (request, h) => {

@@ -213,3 +255,3 @@ expect(request.plugins.crumb).to.exist();

return reply.view('index', {
return h.view('index', {
title: 'test',

@@ -221,30 +263,34 @@ message: 'hi'

server.register([{ register: Vision }, { register: Crumb, options: { cookieOptions: { isSecure: true }, addToViewContext: false } }], (err) => {
const plugins = [
Vision,
{
plugin: Crumb,
options: {
cookieOptions: {
isSecure: true
},
addToViewContext: false
}
}
];
expect(err).to.not.exist();
await server.register(plugins);
server.views(internals.viewOptions);
server.views(viewOptions);
const res = await server.inject({
method: 'GET',
url: '/1'
});
server.inject({ method: 'GET', url: '/1' }, (res) => {
expect(res.result).to.equal('<!DOCTYPE html><html><head><title>test</title></head><body><div><h1>hi</h1><h2></h2></div></body></html>');
done();
});
});
expect(res.result).to.equal(Views.viewWithoutCrumb());
});
it('Works without specifying plugin options', (done) => {
it('Works without specifying plugin options', async () => {
const server = new Hapi.Server();
server.connection();
const viewOptions = {
path: __dirname + '/templates',
engines: {
html: require('handlebars')
}
};
server.route({
method: 'GET', path: '/1', handler: (request, reply) => {
method: 'GET',
path: '/1',
handler: (request, h) => {

@@ -254,3 +300,3 @@ expect(request.plugins.crumb).to.exist();

return reply.view('index', {
return h.view('index', {
title: 'test',

@@ -262,56 +308,47 @@ message: 'hi'

server.register([{ register: Vision }, { register: Crumb, options: null }], (err) => {
await server.register([Vision, Crumb]);
expect(err).to.not.exist();
server.views(internals.viewOptions);
server.views(viewOptions);
const res = await server.inject({
method: 'GET',
url: '/1'
});
const header = res.headers['set-cookie'];
expect(header.length).to.equal(1);
server.inject({ method: 'GET', url: '/1' }, (res) => {
const header = res.headers['set-cookie'];
expect(header.length).to.equal(1);
const cookie = header[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
expect(res.result).to.equal('<!DOCTYPE html><html><head><title>test</title></head><body><div><h1>hi</h1><h2>' + cookie[1] + '</h2></div></body></html>');
done();
});
});
const cookie = header[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
expect(res.result).to.equal(Views.viewWithCrumb(cookie[1]));
});
it('should fail to register with bad options', (done) => {
it('should fail to register with bad options', async () => {
const server = new Hapi.Server();
server.connection();
server.register({
register: Crumb,
options: {
foo: 'bar'
}
}, (err) => {
try {
await server.register({
plugin: Crumb,
options: {
foo: 'bar'
}
});
}
catch (err) {
expect(err).to.exist();
expect(err.name).to.equal('ValidationError');
expect(err.message).to.equal('"foo" is not allowed');
done();
});
// TODO: Message validation fails because of formatting produced by assert :(
// expect(err.message).to.equal('"foo" is not allowed');
}
});
it('route uses crumb when route.config.plugins.crumb set to true and autoGenerate set to false', (done) => {
it('route uses crumb when route.options.plugins.crumb set to true and autoGenerate set to false', async () => {
const server = new Hapi.Server();
server.connection();
const viewOptions = {
path: __dirname + '/templates',
engines: {
html: require('handlebars')
}
};
server.route([
{
method: 'GET', path: '/1', handler: (request, reply) => {
method: 'GET',
path: '/1',
handler: (request, h) => {

@@ -322,9 +359,23 @@ const crumb = request.plugins.crumb;

return reply('bonjour');
return 'bonjour';
}
},
{
method: 'GET', path: '/2', config: { plugins: { crumb: true } }, handler: (request, reply) => {
method: 'GET',
path: '/2',
options: {
plugins: {
crumb: true
}
},
handler: (request, h) => 'hola'
}
]);
return reply('hola');
await server.register([
Vision,
{
plugin: Crumb,
options: {
autoGenerate: false
}

@@ -334,166 +385,198 @@ }

server.register([{ register: Vision }, { register: Crumb, options: { autoGenerate: false } }], (err) => {
server.views(internals.viewOptions);
expect(err).to.not.exist();
await server.inject({
method: 'GET',
url: '/1'
});
server.views(viewOptions);
const res = await server.inject({ method: 'GET', url: '/2' });
const header = res.headers['set-cookie'];
expect(header.length).to.equal(1);
});
server.inject({ method: 'GET', url: '/1' }, () => {
it('fails validation when no payload provided and not using restful mode', async () => {
server.inject({ method: 'GET', url: '/2' }, (res) => {
const server = new Hapi.Server();
const header = res.headers['set-cookie'];
expect(header.length).to.equal(1);
done();
});
});
server.route({
method: 'POST',
path: '/1',
handler: (request, h) => 'test'
});
});
it('fails validation when no payload provided and not using restful mode', (done) => {
await server.register([Crumb]);
const server = new Hapi.Server();
server.connection();
server.route([
{
method: 'POST', path: '/1', handler: (request, reply) => {
const headers = {};
headers['X-API-Token'] = 'test';
return reply('test');
}
}
]);
const res = await server.inject({
method: 'POST',
url: '/1',
headers
});
server.register([{ register: Crumb }], (err) => {
expect(res.statusCode).to.equal(403);
});
expect(err).to.not.exist();
const headers = {};
headers['X-API-Token'] = 'test';
server.inject({ method: 'POST', url: '/1', headers: headers }, (res) => {
it('does not validate crumb when "skip" option returns true', async () => {
expect(res.statusCode).to.equal(403);
done();
});
const server = new Hapi.Server();
server.route({
method: 'POST',
path: '/1',
handler: (request, h) => 'test'
});
});
it('does not validate crumb when "skip" option returns true', (done) => {
const skip = (request) => request.headers['x-api-token'] === 'test';
const server = new Hapi.Server();
server.connection();
server.route([
const plugins = [
{
method: 'POST', path: '/1', handler: (request, reply) => {
return reply('test');
plugin: Crumb,
options: {
skip
}
}
]);
];
const skip = (request) => {
await server.register(plugins);
return request.headers['x-api-token'] === 'test';
const headers = {
'X-API-Token': 'test'
};
server.register([{ register: Crumb, options: { skip: skip } }], (err) => {
const res = await server.inject({
method: 'POST',
url: '/1',
headers
});
expect(err).to.not.exist();
const headers = {};
headers['X-API-Token'] = 'test';
server.inject({ method: 'POST', url: '/1', headers: headers }, (res) => {
const header = res.headers['set-cookie'];
expect(res.statusCode).to.equal(200);
const header = res.headers['set-cookie'];
expect(header).to.not.exist();
done();
});
});
expect(res.statusCode).to.equal(200);
expect(header).to.not.exist();
});
it('ensures crumb "skip" option is a function', (done) => {
it('ensures crumb "skip" option is a function', async () => {
const server = new Hapi.Server();
server.connection();
server.route([
{
method: 'POST', path: '/1', handler: (request, reply) => {
return reply('test');
}
}
]);
server.route({
method: 'POST',
path: '/1',
handler: (request, h) => 'test'
});
const skip = true;
server.register([{ register: Vision }, { register: Crumb, options: { skip: skip } }], (err) => {
try {
await server.register([
Vision,
{
plugin: Crumb,
options: { skip }
}
]);
}
catch (err) {
expect(err).to.exist();
done();
});
}
});
it('does not set crumb cookie insecurely', (done) => {
it('does not set crumb cookie insecurely', async () => {
const server = new Hapi.Server();
server.connection({ host: 'localhost', port: 80, routes: { cors: true } });
server.route({ method: 'GET', path: '/1', config: { cors: false }, handler: (request, reply) => {
const server = new Hapi.Server({
host: 'localhost',
port: 80,
routes: {
cors: true
}
});
return reply('test');
} });
server.route({ method: 'GET', path: '/2', handler: (request, reply) => {
server.route({
method: 'GET',
path: '/1',
options: {
cors: false
},
handler: (request, h) => 'test'
});
return reply('test');
} });
server.route({ method: 'GET', path: '/3', config: { cors: { origin: ['http://127.0.0.1'] } }, handler: (request, reply) => {
server.route({
method: 'GET',
path: '/2',
handler: (request, h) => 'test'
});
return reply('test');
} });
server.route({
method: 'GET',
path: '/3',
options: {
cors: {
origin: ['http://127.0.0.1']
}
},
handler: (request, h) => 'test'
});
server.register([{ register: Crumb, options: null }], (err) => {
await server.register(Crumb);
expect(err).to.not.exist();
const headers = {};
const headers = {};
const res = await server.inject({
method: 'GET',
url: '/1',
headers
});
server.inject({ method: 'GET', url: '/1', headers: headers }, (res) => {
const header = res.headers['set-cookie'];
expect(header[0]).to.contain('crumb');
const header = res.headers['set-cookie'];
expect(header[0]).to.contain('crumb');
headers.origin = 'http://localhost';
headers.origin = 'http://localhost';
const res2 = await server.inject({
method: 'GET',
url: '/2',
headers
});
server.inject({ method: 'GET', url: '/2', headers: headers }, (res2) => {
const header2 = res2.headers['set-cookie'];
expect(header2[0]).to.contain('crumb');
const header2 = res2.headers['set-cookie'];
expect(header2[0]).to.contain('crumb');
headers.origin = 'http://127.0.0.1';
headers.origin = 'http://127.0.0.1';
const res3 = await server.inject({
method: 'GET',
url: '/3',
headers
});
server.inject({ method: 'GET', url: '/3', headers: headers }, (res3) => {
const header3 = res3.headers['set-cookie'];
const header3 = res3.headers['set-cookie'];
expect(header3[0]).to.contain('crumb');
expect(header3[0]).to.contain('crumb');
server.inject({ method: 'GET', url: '/3' }, (res4) => {
const res4 = await server.inject({
method: 'GET',
url: '/3'
});
const header4 = res3.headers['set-cookie'];
expect(header4[0]).to.contain('crumb');
const header4 = res4.headers['set-cookie'];
headers.origin = 'http://badsite.com';
expect(header4[0]).to.contain('crumb');
server.inject({ method: 'GET', url: '/3', headers: headers }, (res5) => {
headers.origin = 'http://badsite.com';
const header5 = res5.headers['set-cookie'];
expect(header5).to.not.exist();
const res5 = await server.inject({
method: 'GET',
url: '/3',
headers
});
done();
});
});
});
});
});
});
const header5 = res5.headers['set-cookie'];
expect(header5).to.not.exist();
});
it('does not set crumb cookie insecurely using https', (done) => {
it('does not set crumb cookie insecurely using https', async () => {

@@ -503,47 +586,38 @@ const options = {

port: 443,
tls: {
key: '-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA0UqyXDCqWDKpoNQQK/fdr0OkG4gW6DUafxdufH9GmkX/zoKz\ng/SFLrPipzSGINKWtyMvo7mPjXqqVgE10LDI3VFV8IR6fnART+AF8CW5HMBPGt/s\nfQW4W4puvBHkBxWSW1EvbecgNEIS9hTGvHXkFzm4xJ2e9DHp2xoVAjREC73B7JbF\nhc5ZGGchKw+CFmAiNysU0DmBgQcac0eg2pWoT+YGmTeQj6sRXO67n2xy/hA1DuN6\nA4WBK3wM3O4BnTG0dNbWUEbe7yAbV5gEyq57GhJIeYxRvveVDaX90LoAqM4cUH06\n6rciON0UbDHV2LP/JaH5jzBjUyCnKLLo5snlbwIDAQABAoIBAQDJm7YC3pJJUcxb\nc8x8PlHbUkJUjxzZ5MW4Zb71yLkfRYzsxrTcyQA+g+QzA4KtPY8XrZpnkgm51M8e\n+B16AcIMiBxMC6HgCF503i16LyyJiKrrDYfGy2rTK6AOJQHO3TXWJ3eT3BAGpxuS\n12K2Cq6EvQLCy79iJm7Ks+5G6EggMZPfCVdEhffRm2Epl4T7LpIAqWiUDcDfS05n\nNNfAGxxvALPn+D+kzcSF6hpmCVrFVTf9ouhvnr+0DpIIVPwSK/REAF3Ux5SQvFuL\njPmh3bGwfRtcC5d21QNrHdoBVSN2UBLmbHUpBUcOBI8FyivAWJhRfKnhTvXMFG8L\nwaXB51IZAoGBAP/E3uz6zCyN7l2j09wmbyNOi1AKvr1WSmuBJveITouwblnRSdvc\nsYm4YYE0Vb94AG4n7JIfZLKtTN0xvnCo8tYjrdwMJyGfEfMGCQQ9MpOBXAkVVZvP\ne2k4zHNNsfvSc38UNSt7K0HkVuH5BkRBQeskcsyMeu0qK4wQwdtiCoBDAoGBANF7\nFMppYxSW4ir7Jvkh0P8bP/Z7AtaSmkX7iMmUYT+gMFB5EKqFTQjNQgSJxS/uHVDE\nSC5co8WGHnRk7YH2Pp+Ty1fHfXNWyoOOzNEWvg6CFeMHW2o+/qZd4Z5Fep6qCLaa\nFvzWWC2S5YslEaaP8DQ74aAX4o+/TECrxi0z2lllAoGAdRB6qCSyRsI/k4Rkd6Lv\nw00z3lLMsoRIU6QtXaZ5rN335Awyrfr5F3vYxPZbOOOH7uM/GDJeOJmxUJxv+cia\nPQDflpPJZU4VPRJKFjKcb38JzO6C3Gm+po5kpXGuQQA19LgfDeO2DNaiHZOJFrx3\nm1R3Zr/1k491lwokcHETNVkCgYBPLjrZl6Q/8BhlLrG4kbOx+dbfj/euq5NsyHsX\n1uI7bo1Una5TBjfsD8nYdUr3pwWltcui2pl83Ak+7bdo3G8nWnIOJ/WfVzsNJzj7\n/6CvUzR6sBk5u739nJbfgFutBZBtlSkDQPHrqA7j3Ysibl3ZIJlULjMRKrnj6Ans\npCDwkQKBgQCM7gu3p7veYwCZaxqDMz5/GGFUB1My7sK0hcT7/oH61yw3O8pOekee\nuctI1R3NOudn1cs5TAy/aypgLDYTUGQTiBRILeMiZnOrvQQB9cEf7TFgDoRNCcDs\nV/ZWiegVB/WY7H0BkCekuq5bHwjgtJTpvHGqQ9YD7RhE8RSYOhdQ/Q==\n-----END RSA PRIVATE KEY-----\n',
cert: '-----BEGIN CERTIFICATE-----\nMIIDBjCCAe4CCQDvLNml6smHlTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\ncyBQdHkgTHRkMB4XDTE0MDEyNTIxMjIxOFoXDTE1MDEyNTIxMjIxOFowRTELMAkG\nA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\nIFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nANFKslwwqlgyqaDUECv33a9DpBuIFug1Gn8Xbnx/RppF/86Cs4P0hS6z4qc0hiDS\nlrcjL6O5j416qlYBNdCwyN1RVfCEen5wEU/gBfAluRzATxrf7H0FuFuKbrwR5AcV\nkltRL23nIDRCEvYUxrx15Bc5uMSdnvQx6dsaFQI0RAu9weyWxYXOWRhnISsPghZg\nIjcrFNA5gYEHGnNHoNqVqE/mBpk3kI+rEVzuu59scv4QNQ7jegOFgSt8DNzuAZ0x\ntHTW1lBG3u8gG1eYBMquexoSSHmMUb73lQ2l/dC6AKjOHFB9Ouq3IjjdFGwx1diz\n/yWh+Y8wY1Mgpyiy6ObJ5W8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAoSc6Skb4\ng1e0ZqPKXBV2qbx7hlqIyYpubCl1rDiEdVzqYYZEwmst36fJRRrVaFuAM/1DYAmT\nWMhU+yTfA+vCS4tql9b9zUhPw/IDHpBDWyR01spoZFBF/hE1MGNpCSXXsAbmCiVf\naxrIgR2DNketbDxkQx671KwF1+1JOMo9ffXp+OhuRo5NaGIxhTsZ+f/MA4y084Aj\nDI39av50sTRTWWShlN+J7PtdQVA5SZD97oYbeUeL7gI18kAJww9eUdmT0nEjcwKs\nxsQT1fyKbo7AlZBY4KSlUMuGnn0VnAsB9b+LxtXlDfnjyM8bVQx1uAfRo0DO8p/5\n3J5DTjAU55deBQ==\n-----END CERTIFICATE-----\n'
}
tls: TLSCert
};
const server = new Hapi.Server();
server.connection(options);
const server = new Hapi.Server(options);
server.route([
{
method: 'GET', path: '/1', handler: (request, reply) => {
return reply('test');
}
method: 'GET',
path: '/1',
handler: (request, h) => 'test'
}
]);
server.register([{ register: Crumb, options: null }], (err) => {
expect(err).to.not.exist();
await server.register(Crumb);
server.inject({ method: 'GET', url: '/1', headers: { host: 'localhost:443' } }, (res) => {
const res = await server.inject({
method: 'GET',
url: '/1',
headers: {
host: 'localhost:443'
}
});
const header = res.headers['set-cookie'];
expect(header[0]).to.contain('crumb');
done();
});
});
const header = res.headers['set-cookie'];
expect(header[0]).to.contain('crumb');
});
it('validates crumb with X-CSRF-Token header', (done) => {
it('validates crumb with X-CSRF-Token header', async () => {
const server = new Hapi.Server();
server.connection();
const viewOptions = {
path: __dirname + '/templates',
engines: {
html: require('handlebars')
}
};
server.route([
{
method: 'GET', path: '/1', handler: (request, reply) => {
method: 'GET',
path: '/1',
handler: (request, h) => {

@@ -553,3 +627,3 @@ expect(request.plugins.crumb).to.exist();

return reply.view('index', {
return h.view('index', {
title: 'test',

@@ -561,46 +635,68 @@ message: 'hi'

{
method: 'POST', path: '/2', handler: (request, reply) => {
method: 'POST',
path: '/2',
handler: (request, h) => {
expect(request.payload).to.deep.equal({ key: 'value' });
return reply('valid');
expect(request.payload).to.equal({ key: 'value' });
return 'valid';
}
},
{
method: 'POST', path: '/3', config: { payload: { output: 'stream' } }, handler: (request, reply) => {
return reply('never');
}
method: 'POST',
path: '/3',
options: { payload: { output: 'stream' } },
handler: (request, h) => 'never'
},
{
method: 'PUT', path: '/4', handler: (request, reply) => {
method: 'PUT',
path: '/4',
handler: (request, h) => {
expect(request.payload).to.deep.equal({ key: 'value' });
return reply('valid');
expect(request.payload).to.equal({ key: 'value' });
return 'valid';
}
},
{
method: 'PATCH', path: '/5', handler: (request, reply) => {
method: 'PATCH',
path: '/5',
handler: (request, h) => {
expect(request.payload).to.deep.equal({ key: 'value' });
return reply('valid');
expect(request.payload).to.equal({ key: 'value' });
return 'valid';
}
},
{
method: 'DELETE', path: '/6', handler: (request, reply) => {
return reply('valid');
}
method: 'DELETE',
path: '/6',
handler: (request, h) => 'valid'
},
{
method: 'POST', path: '/7', config: { plugins: { crumb: false } }, handler: (request, reply) => {
method: 'POST',
path: '/7',
options: {
plugins: {
crumb: false
}
},
handler: (request, h) => {
expect(request.payload).to.deep.equal({ key: 'value' });
return reply('valid');
expect(request.payload).to.equal({ key: 'value' });
return 'valid';
}
},
{
method: 'POST', path: '/8', config: { plugins: { crumb: { restful: false, source: 'payload' } } }, handler: (request, reply) => {
method: 'POST',
path: '/8',
options: {
plugins: {
crumb: {
restful: false,
source: 'payload'
}
}
},
handler: (request, h) => {
expect(request.payload).to.deep.equal({ key: 'value' });
return reply('valid');
expect(request.payload).to.equal({ key: 'value' });
return 'valid';
}

@@ -611,87 +707,141 @@ }

server.register([{ register: Vision }, { register: Crumb, options: { restful: true, cookieOptions: { isSecure: true } } }], (err) => {
await server.register([
Vision,
{
plugin: Crumb,
options: {
restful: true,
cookieOptions: {
isSecure: true
}
}
}
]);
expect(err).to.not.exist();
server.views(internals.viewOptions);
server.views(viewOptions);
const res = await server.inject({
method: 'GET',
url: '/1'
});
server.inject({ method: 'GET', url: '/1' }, (res) => {
const header = res.headers['set-cookie'];
expect(header.length).to.equal(1);
expect(header[0]).to.contain('Secure');
const header = res.headers['set-cookie'];
expect(header.length).to.equal(1);
expect(header[0]).to.contain('Secure');
const cookie = header[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
const cookie = header[0].match(/crumb=([^\x00-\x20\"\,\;\\\x7F]*)/);
const validHeader = {
cookie: 'crumb=' + cookie[1],
'x-csrf-token': cookie[1]
};
const validHeader = {};
validHeader.cookie = 'crumb=' + cookie[1];
validHeader['x-csrf-token'] = cookie[1];
const invalidHeader = {
cookie: 'crumb=' + cookie[1],
'x-csrf-token': 'x' + cookie[1]
};
const invalidHeader = {};
invalidHeader.cookie = 'crumb=' + cookie[1];
invalidHeader['x-csrf-token'] = 'x' + cookie[1];
expect(res.result).to.equal(Views.viewWithCrumb(cookie[1]));
expect(res.result).to.equal('<!DOCTYPE html><html><head><title>test</title></head><body><div><h1>hi</h1><h2>' + cookie[1] + '</h2></div></body></html>');
const res2 = await server.inject({
method: 'POST',
url: '/2',
payload: '{ "key": "value" }',
headers: validHeader
});
server.inject({ method: 'POST', url: '/2', payload: '{ "key": "value" }', headers: validHeader }, (res2) => {
expect(res2.result).to.equal('valid');
expect(res2.result).to.equal('valid');
const res3 = await server.inject({
method: 'POST',
url: '/2',
payload: '{ "key": "value" }',
headers: invalidHeader
});
server.inject({ method: 'POST', url: '/2', payload: '{ "key": "value" }', headers: invalidHeader }, (res3) => {
expect(res3.statusCode).to.equal(403);
expect(res3.statusCode).to.equal(403);
const res4 = await server.inject({
method: 'POST',
url: '/3',
headers: {
cookie: 'crumb=' + cookie[1]
}
});
server.inject({ method: 'POST', url: '/3', headers: { cookie: 'crumb=' + cookie[1] } }, (res4) => {
expect(res4.statusCode).to.equal(403);
expect(res4.statusCode).to.equal(403);
const res5 = await server.inject({
method: 'PUT',
url: '/4',
payload: '{ "key": "value" }',
headers: validHeader
});
server.inject({ method: 'PUT', url: '/4', payload: '{ "key": "value" }', headers: validHeader }, (res5) => {
expect(res5.result).to.equal('valid');
expect(res5.result).to.equal('valid');
const res6 = await server.inject({
method: 'PUT',
url: '/4',
payload: '{ "key": "value" }',
headers: invalidHeader
});
server.inject({ method: 'PUT', url: '/4', payload: '{ "key": "value" }', headers: invalidHeader }, (res6) => {
expect(res6.statusCode).to.equal(403);
expect(res6.statusCode).to.equal(403);
const res7 = await server.inject({
method: 'PATCH',
url: '/5',
payload: '{ "key": "value" }',
headers: validHeader
});
server.inject({ method: 'PATCH', url: '/5', payload: '{ "key": "value" }', headers: validHeader }, (res7) => {
expect(res7.result).to.equal('valid');
expect(res7.result).to.equal('valid');
const res8 = await server.inject({
method: 'PATCH',
url: '/5',
payload: '{ "key": "value" }',
headers: invalidHeader
});
server.inject({ method: 'PATCH', url: '/5', payload: '{ "key": "value" }', headers: invalidHeader }, (res8) => {
expect(res8.statusCode).to.equal(403);
expect(res8.statusCode).to.equal(403);
const res9 = await server.inject({
method: 'DELETE',
url: '/6',
headers: validHeader
});
server.inject({ method: 'DELETE', url: '/6', headers: validHeader }, (res9) => {
expect(res9.result).to.equal('valid');
expect(res9.result).to.equal('valid');
const res10 = await server.inject({
method: 'DELETE',
url: '/6',
headers: invalidHeader
});
server.inject({ method: 'DELETE', url: '/6', headers: invalidHeader }, (res10) => {
expect(res10.statusCode).to.equal(403);
expect(res10.statusCode).to.equal(403);
const res11 = await server.inject({
method: 'POST',
url: '/7',
payload: '{ "key": "value" }'
});
server.inject({ method: 'POST', url: '/7', payload: '{ "key": "value" }' }, (res11) => {
expect(res11.result).to.equal('valid');
expect(res11.result).to.equal('valid');
const payload = { key: 'value', crumb: cookie[1] };
const payload = { key: 'value', crumb: cookie[1] };
delete validHeader['x-csrf-token'];
delete validHeader['x-csrf-token'];
server.inject({ method: 'POST', url: '/8', payload: JSON.stringify(payload), headers: validHeader }, (res12) => {
const res12 = await server.inject({
method: 'POST',
url: '/8',
payload: JSON.stringify(payload),
headers: validHeader
});
expect(res12.statusCode).to.equal(200);
done();
});
});
});
});
});
});
});
});
});
});
});
});
});
expect(res12.statusCode).to.equal(200);
});
});
.npmignore
.travis.yml

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc