Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

crumb

Package Overview
Dependencies
Maintainers
5
Versions
46
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

crumb - npm Package Compare versions

Comparing version 7.1.0 to 7.2.1

.npmignore

16

lib/index.js

@@ -11,3 +11,7 @@ 'use strict';

// Constants
const restfulValidatedMethods = ['post', 'put', 'patch', 'delete'];
// Declare internals

@@ -27,2 +31,3 @@

skip: Joi.func().optional(),
enforce: Joi.boolean().optional(),
logUnauthorized: Joi.boolean().optional()

@@ -43,2 +48,3 @@ });

skip: false, // Set to a function which returns true when to skip crumb generation and validation,
enforce: true, // Set to true for setting the CSRF cookie while not performing validation
logUnauthorized: false // Set to true for crumb to write an event to the request log

@@ -98,2 +104,8 @@ };

// Skip validation on dry run
if (!settings.enforce) {
return h.continue;
}
// Validate crumb

@@ -129,5 +141,3 @@

else {
if (request.method !== 'post' && request.method !== 'put' && request.method !== 'patch' && request.method !== 'delete' ||
!request.route.settings.plugins._crumb) {
if (!restfulValidatedMethods.includes(request.method) || !request.route.settings.plugins._crumb) {
return h.continue;

@@ -134,0 +144,0 @@ }

4

package.json
{
"name": "crumb",
"description": "CSRF crumb generation and validation plugin",
"version": "7.1.0",
"version": "7.2.1",
"repository": "git://github.com/hapijs/crumb",

@@ -22,3 +22,3 @@ "bugs": {

"boom": "7.x.x",
"cryptiles": "4.x.x",
"cryptiles": "^4.1.2",
"hoek": "5.x.x",

@@ -25,0 +25,0 @@ "joi": "13.x.x"

9

README.md

@@ -7,3 +7,3 @@ ![crumb Logo](https://raw.github.com/hapijs/crumb/master/images/crumb.png)

Lead Maintainer: [Jonathan Samines](https://github.com/jonathansamines)
Lead Maintainer: [Sanjay Pandit](https://github.com/spanditcaa)

@@ -75,2 +75,3 @@ ## About CSRF

* `skip` - a function with the signature of `function (request, h) {}`, which when provided, is called for every request. If the provided function returns true, validation and generation of crumb is skipped. Defaults to `false`.
* `enforce` - defaults to true, using enforce with false will set the CSRF header cookie but won't execute the validation
* `logUnauthorized` - whether to add to the request log with tag 'crumb' and data 'validation failed' (defaults to false)

@@ -85,1 +86,7 @@

* `restful` - an override for the server's 'restful' setting. Defaults to `plugin.restful`.
### Contribute
* First, install `lab` and `code` with global `npm i -g lab code`
* Run tests with `npm test`

37

test/index.js

@@ -1162,2 +1162,39 @@ 'use strict';

});
it('should set cookie but ignore check with enforce flag turned off', async () => {
const server = new Hapi.Server();
server.route({
method: 'POST',
path: '/1',
handler: (request, h) => 'test'
});
const plugins = [
{
plugin: Crumb,
options: {
enforce: false
}
}
];
await server.register(plugins);
const headers = {
'X-API-Token': 'test'
};
const res = await server.inject({
method: 'POST',
url: '/1',
headers
});
const header = res.headers['set-cookie'];
expect(header).to.exist();
expect(res.statusCode).to.equal(200);
});
});
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc