Comparing version 1.1.0 to 1.2.0
57
index.js
/*! | ||
* Connect - csrf | ||
* Expressjs | Connect - csrf | ||
* Copyright(c) 2011 Sencha Inc. | ||
* Copyright(c) 2014 Jonathan Ong | ||
* MIT Licensed | ||
@@ -16,4 +17,2 @@ */ | ||
/** | ||
* Anti CSRF: | ||
* | ||
* CSRF protection middleware. | ||
@@ -26,17 +25,4 @@ * | ||
* | ||
* The default `value` function checks for the token in one of the | ||
* following places: | ||
* - the `_csrf` parameter in the `req.body` generated by the | ||
* `bodyParser()` middleware, | ||
* - the `_csrf` parameter in the `req.query` generated by `query()`, | ||
* - the "X-CSRF-Token" header field. | ||
* | ||
* This middleware requires session support, thus should be added | ||
* somewhere _below_ `session()` and `cookieParser()`. | ||
* | ||
* Options: | ||
* | ||
* - `value` a function accepting the request, returning the token | ||
* | ||
* @param {Object} options | ||
* @return {Function} middleware | ||
* @api public | ||
@@ -47,8 +33,30 @@ */ | ||
options = options || {}; | ||
var value = options.value || defaultValue; | ||
var value = options.value || defaultValue, | ||
cookie = options.cookie, | ||
cookieKey = (cookie && cookie.key) || '_csrf', | ||
signedCookie = cookie && cookie.signed; | ||
if (cookie && typeof cookie !== 'object') | ||
cookie = {}; | ||
return function(req, res, next){ | ||
// already have one | ||
var secret = req.session.csrfSecret; | ||
var secret; | ||
if (cookie) { | ||
secret = ( (signedCookie | ||
&& req.signedCookies | ||
&& req.signedCookies[cookieKey]) | ||
|| (!signedCookie | ||
&& req.cookies | ||
&& req.cookies[cookieKey]) | ||
); | ||
} else if (req.session) | ||
secret = req.session.csrfSecret; | ||
else { | ||
var err = new Error('misconfigured csrf'); | ||
err.status = 500; | ||
next(err); | ||
return; | ||
} | ||
if (secret) return createToken(secret); | ||
@@ -59,3 +67,12 @@ | ||
if (err) return next(err); | ||
req.session.csrfSecret = secret; | ||
if (cookie) | ||
res.cookie(cookieKey, secret, cookie); | ||
else if (req.session) | ||
req.session.csrfSecret = secret; | ||
else { | ||
var err = new Error('misconfigured csrf'); | ||
err.status = 500; | ||
next(err); | ||
return; | ||
} | ||
createToken(secret); | ||
@@ -62,0 +79,0 @@ }); |
{ | ||
"name": "csurf", | ||
"description": "CSRF token middleware", | ||
"version": "1.1.0", | ||
"version": "1.2.0", | ||
"author": { | ||
@@ -20,7 +20,11 @@ "name": "Jonathan Ong", | ||
"body-parser": "*", | ||
"mocha": "^1.17.0", | ||
"should": "^3.0.0", | ||
"cookie-parser": "*", | ||
"mocha": ">= 1.17.0 < 2", | ||
"should": ">= 3.0.0 < 4", | ||
"supertest": "*", | ||
"connect": "*" | ||
}, | ||
"engines": { | ||
"node": ">= 0.8.0" | ||
}, | ||
"scripts": { | ||
@@ -27,0 +31,0 @@ "test": "make test" |
@@ -0,6 +1,53 @@ | ||
# csurf [![Build Status](https://travis-ci.org/expressjs/csurf.svg?branch=master)](https://travis-ci.org/expressjs/csurf) [![NPM Version](https://badge.fury.io/js/csurf.svg)](https://badge.fury.io/js/csurf) | ||
# CSURF | ||
Node.js [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) protection middleware. | ||
CSRF middleware for connect/express/node. | ||
Requires either a session middleware or [cookie-parser](https://github.com/expressjs/cookie-parser) to be initialized first. | ||
- [session](https://github.com/expressjs/session) | ||
- [cookie-session](https://github.com/expressjs/cookie-session) | ||
It currently has the same API as [connect-csrf](http://www.senchalabs.org/connect/csrf.html), except it is now in its own repository. | ||
### Install | ||
```sh | ||
$ npm install csurf | ||
``` | ||
## API | ||
```js | ||
var csrf = require('csurf') | ||
``` | ||
### csrf(options) | ||
This middleware adds a `req.csrfToken()` function to make a token which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor's session or csrf cookie. | ||
#### Options | ||
- `value` a function accepting the request, returning the token. | ||
- The default function checks four possible token locations: | ||
- `_csrf` parameter in `req.body` generated by the `body-parser` middleware. | ||
- `_csrf` parameter in `req.query` generated by `query()`. | ||
- `x-csrf-token` and `x-xsrf-token` header fields. | ||
- `cookie` set to a truthy value to enable cookie-based instead of session-based csrf secret storage. | ||
- If `cookie` is an object, these options can be configured, otherwise defaults are used: | ||
- `key` the name of the cookie to use (defaults to `_csrf`) to store the csrf secret | ||
- any other [res.cookie](http://expressjs.com/4x/api.html#res.cookie) options can be set | ||
### req.crsfToken() | ||
Lazy-loads the token associated with the request. | ||
## Example | ||
```js | ||
var express = require('express') | ||
var csrf = require('csurf') | ||
var app = express() | ||
app.use(csrf()) | ||
``` | ||
## License | ||
[MIT](LICENSE) |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
7861
154
54
7
7
1