Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
crumb - npm Package Compare versions
Comparing version 7.1.0 to 7.2.0
@@ -11,3 +11,7 @@ 'use strict'; | ||
| // Constants | ||
| const restfulValidatedMethods = ['post', 'put', 'patch', 'delete']; | ||
| // Declare internals | ||
@@ -27,2 +31,3 @@ | ||
| skip: Joi.func().optional(), | ||
| enforce: Joi.boolean().optional(), | ||
| logUnauthorized: Joi.boolean().optional() | ||
@@ -43,2 +48,3 @@ }); | ||
| skip: false, // Set to a function which returns true when to skip crumb generation and validation, | ||
| enforce: true, // Set to true for setting the CSRF cookie while not performing validation | ||
| logUnauthorized: false // Set to true for crumb to write an event to the request log | ||
@@ -98,2 +104,8 @@ }; | ||
| // Skip validation on dry run | ||
| if (!settings.enforce) { | ||
| return h.continue; | ||
| } | ||
| // Validate crumb | ||
@@ -129,5 +141,3 @@ | ||
| else { | ||
| if (request.method !== 'post' && request.method !== 'put' && request.method !== 'patch' && request.method !== 'delete' || | ||
| !request.route.settings.plugins._crumb) { | ||
| if (!restfulValidatedMethods.includes(request.method) || !request.route.settings.plugins._crumb) { | ||
| return h.continue; | ||
@@ -134,0 +144,0 @@ } |
| { | ||
| "name": "crumb", | ||
| "description": "CSRF crumb generation and validation plugin", | ||
| "version": "7.1.0", | ||
| "repository": "git://github.com/hapijs/crumb", | ||
| "version": "7.2.0", | ||
| "repository": "git://github.com/hapijs/crumb", | ||
| "bugs": { | ||
@@ -7,0 +7,0 @@ "url": "https://github.com/hapijs/crumb/issues" |
@@ -7,3 +7,3 @@  | ||
| Lead Maintainer: [Jonathan Samines](https://github.com/jonathansamines) | ||
| Lead Maintainer: [Sanjay Pandit](https://github.com/spanditcaa) | ||
@@ -75,2 +75,3 @@ ## About CSRF | ||
| * `skip` - a function with the signature of `function (request, h) {}`, which when provided, is called for every request. If the provided function returns true, validation and generation of crumb is skipped. Defaults to `false`. | ||
| * `enforce` - defaults to true, using enforce with false will set the CSRF header cookie but won't execute the validation | ||
| * `logUnauthorized` - whether to add to the request log with tag 'crumb' and data 'validation failed' (defaults to false) | ||
@@ -85,1 +86,7 @@ | ||
| * `restful` - an override for the server's 'restful' setting. Defaults to `plugin.restful`. | ||
| ### Contribute | ||
| * First, install `lab` and `code` with global `npm i -g lab code` | ||
| * Run tests with `npm test` |
@@ -1162,2 +1162,39 @@ 'use strict'; | ||
| }); | ||
| it('should set cookie but ignore check with enforce flag turned off', async () => { | ||
| const server = new Hapi.Server(); | ||
| server.route({ | ||
| method: 'POST', | ||
| path: '/1', | ||
| handler: (request, h) => 'test' | ||
| }); | ||
| const plugins = [ | ||
| { | ||
| plugin: Crumb, | ||
| options: { | ||
| enforce: false | ||
| } | ||
| } | ||
| ]; | ||
| await server.register(plugins); | ||
| const headers = { | ||
| 'X-API-Token': 'test' | ||
| }; | ||
| const res = await server.inject({ | ||
| method: 'POST', | ||
| url: '/1', | ||
| headers | ||
| }); | ||
| const header = res.headers['set-cookie']; | ||
| expect(header).to.exist(); | ||
| expect(res.statusCode).to.equal(200); | ||
| }); | ||
| }); |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.33%
116762
- Number of package files
- increased by5.56%
19
- Lines of code
- increased by2.93%
1229
- Number of lines in readme file
- increased by8.43%
90
No dependency changes