csurf - npm Package Compare versions

Comparing version 0.0.2 to 0.1.0

index.js

@@ -9,11 +9,24 @@ var crypto = require('crypto')
 
+exports.get = function () {
+  var csrf = this._csrf
+  if (csrf)
+    return csrf
+
+  var salt = crypto.randomBytes(12).toString('base64')
+
+  return this._csrf = salt + ';'
+    + createHash(salt, this.session.secret)
+}
+
 exports.set = function (req, res, next) {
-  if (!req.session || req.session._csrf)
+  var secret = req.session.secret
+  if (secret)
     return next()
 
-  createToken(function (err, csrf) {
-    if (!err)
-      req.session._csrf = csrf
+  crypto.randomBytes(24, function (err, buf) {
+    if (err)
+      return next(err)
 
-    next(err)
+    req.session.secret = buf.toString('base64')
+    next()
   })
@@ -26,8 +39,4 @@ }
 
-  var value = req.headers['x-csrf-token']
+  check(req, res, next, req.headers['x-csrf-token']
     || (req.body && req.body._csrf)
-
-  next(req.session._csrf === value
-    ? null
-    : passError(403)
   )
@@ -40,18 +49,35 @@ }
 
-  next(req.body && req.session._csrf === req.body._csrf
-    ? null
-    : passError(403)
-  )
+  check(req, res, next, req.body && req.body._csrf)
 }
 
-exports.checkHeader = function (req) {
+exports.checkHeader = function (req, res, next) {
   if (ignoreMethods[req.method])
     return next()
 
-  next(req.session._csrf === req.headers['x-csrf-token']
-    ? null
-    : passError(403)
-  )
+  check(req, res, next, req.headers['x-csrf-token'])
 }
 
+function check(req, res, next, value) {
+  if (!value)
+    return next(passError(403))
+
+  var secret = req.session.secret
+  if (!secret)
+    return next(passError(403))
+
+  var frags = value.split(';')
+  var salt = frags[0]
+  var hash = frags[1]
+  if (!hash || createHash(salt, secret) !== hash)
+    return next(passError(403))
+
+  next()
+}
+
+function createHash(salt, secret) {
+  return crypto.createHash('sha1')
+    .update(salt + ';' + secret)
+    .digest('base64')
+}
+
 function passError(status) {
@@ -61,15 +87,2 @@ var err = new Error()
   return err
-}
-
-function createToken(callback) {
-  return crypto.randomBytes(18, function (err, buf) {
-    if (err)
-      return callback(err)
-
-    callback(null, buf.toString('base64')
-      .slice(0, 24)
-      .replace(/\//g, '-')
-      .replace(/\+/g, '_')
-    )
-  })
 }

package.json

 {
   "name": "csurf",
   "description": "CSRF middleware",
-  "version": "0.0.2",
+  "version": "0.1.0",
   "author": {
@@ -6,0 +6,0 @@ "name": "Jonathan Ong",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

3935

increased by9.85%

Lines of code

64

increased by14.29%

No dependency changes