csurf - npm Package Compare versions

Comparing version 1.1.0 to 1.2.0

index.js

 /*!
- * Connect - csrf
+ * Expressjs | Connect - csrf
  * Copyright(c) 2011 Sencha Inc.
+ * Copyright(c) 2014 Jonathan Ong
  * MIT Licensed
@@ -16,4 +17,2 @@ */
 /**
- * Anti CSRF:
- *
  * CSRF protection middleware.
@@ -26,17 +25,4 @@ *
  *
- * The default `value` function checks for the token in one of the
- * following places:
- *   - the `_csrf` parameter in the `req.body` generated by the
- *     `bodyParser()` middleware,
- *   - the `_csrf` parameter in the `req.query` generated by `query()`,
- *   - the "X-CSRF-Token" header field.
- *
- * This middleware requires session support, thus should be added
- * somewhere _below_ `session()` and `cookieParser()`.
- *
- * Options:
- *
- *    - `value` a function accepting the request, returning the token
- *
  * @param {Object} options
+ * @return {Function} middleware
  * @api public
@@ -47,8 +33,30 @@ */
   options = options || {};
-  var value = options.value || defaultValue;
+  var value = options.value || defaultValue,
+      cookie = options.cookie,
+      cookieKey = (cookie && cookie.key) || '_csrf',
+      signedCookie = cookie && cookie.signed;
 
+  if (cookie && typeof cookie !== 'object')
+    cookie = {};
+
   return function(req, res, next){
 
     // already have one
-    var secret = req.session.csrfSecret;
+    var secret;
+    if (cookie) {
+      secret = (   (signedCookie
+                    && req.signedCookies
+                    && req.signedCookies[cookieKey])
+                || (!signedCookie
+                    && req.cookies
+                    && req.cookies[cookieKey])
+               );
+    } else if (req.session)
+      secret = req.session.csrfSecret;
+    else {
+      var err = new Error('misconfigured csrf');
+      err.status = 500;
+      next(err);
+      return;
+    }
     if (secret) return createToken(secret);
@@ -59,3 +67,12 @@
       if (err) return next(err);
-      req.session.csrfSecret = secret;
+      if (cookie)
+        res.cookie(cookieKey, secret, cookie);
+      else if (req.session)
+        req.session.csrfSecret = secret;
+      else {
+        var err = new Error('misconfigured csrf');
+        err.status = 500;
+        next(err);
+        return;
+      }
       createToken(secret);
@@ -62,0 +79,0 @@ });

package.json

 {
   "name": "csurf",
   "description": "CSRF token middleware",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "author": {
@@ -20,7 +20,11 @@ "name": "Jonathan Ong",
     "body-parser": "*",
-    "mocha": "^1.17.0",
-    "should": "^3.0.0",
+    "cookie-parser": "*",
+    "mocha": ">= 1.17.0 < 2",
+    "should": ">= 3.0.0 < 4",
     "supertest": "*",
     "connect": "*"
   },
+  "engines": {
+    "node": ">= 0.8.0"
+  },
   "scripts": {
@@ -27,0 +31,0 @@ "test": "make test"

README.md

@@ -0,6 +1,53 @@
+# csurf [![Build Status](https://travis-ci.org/expressjs/csurf.svg?branch=master)](https://travis-ci.org/expressjs/csurf) [![NPM Version](https://badge.fury.io/js/csurf.svg)](https://badge.fury.io/js/csurf)
 
-# CSURF
+Node.js [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) protection middleware.
 
-CSRF middleware for connect/express/node.
+Requires either a session middleware or [cookie-parser](https://github.com/expressjs/cookie-parser) to be initialized first.
+- [session](https://github.com/expressjs/session)
+- [cookie-session](https://github.com/expressjs/cookie-session)
 
-It currently has the same API as [connect-csrf](http://www.senchalabs.org/connect/csrf.html), except it is now in its own repository.
+### Install
+
+```sh
+$ npm install csurf
+```
+
+## API
+
+```js
+var csrf = require('csurf')
+```
+
+### csrf(options)
+
+This middleware adds a `req.csrfToken()` function to make a token which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor's session or csrf cookie.
+
+#### Options
+
+- `value` a function accepting the request, returning the token.
+  - The default function checks four possible token locations:
+    - `_csrf` parameter in `req.body` generated by the `body-parser` middleware.
+    - `_csrf` parameter in `req.query` generated by `query()`.
+    - `x-csrf-token` and `x-xsrf-token` header fields.
+- `cookie` set to a truthy value to enable cookie-based instead of session-based csrf secret storage.
+  - If `cookie` is an object, these options can be configured, otherwise defaults are used:
+    - `key` the name of the cookie to use (defaults to `_csrf`) to store the csrf secret
+    - any other [res.cookie](http://expressjs.com/4x/api.html#res.cookie) options can be set
+
+### req.crsfToken()
+
+Lazy-loads the token associated with the request.
+
+## Example
+
+```js
+var express = require('express')
+var csrf    = require('csurf')
+
+var app = express()
+app.use(csrf())
+```
+
+## License
+
+[MIT](LICENSE)

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

7861

increased by36.62%

Lines of code

154

increased by11.59%

Number of lines in readme file

54

increased by671.43%

Worsened metrics

Dev dependency count

7

increased by16.67%

Number of package files

7

decreased by-12.5%

Number of medium supply chain risk alerts

1

increased byInfinity%

No dependency changes