Socket
Socket
Sign inDemoInstall

csurf

Package Overview
Dependencies
Maintainers
6
Versions
29
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

csurf - npm Package Compare versions

Comparing version 1.2.0 to 1.2.1

6

HISTORY.md
1.2.0 / 2014-05-13
==================
* add support for double-submit cookie
1.1.0 / 2014-04-06

@@ -3,0 +9,0 @@ ==================

76

index.js

@@ -9,10 +9,2 @@ /*!

/**
* Module dependencies.
*/
var uid = require('uid2');
var crypto = require('crypto');
var scmp = require('scmp');
/**
* CSRF protection middleware.

@@ -37,2 +29,4 @@ *

var tokens = require('csrf-tokens')(options);
if (cookie && typeof cookie !== 'object')

@@ -64,3 +58,3 @@ cookie = {};

// generate secret
uid(24, function(err, secret){
tokens.secret(function(err, secret){
if (err) return next(err);

@@ -86,3 +80,3 @@ if (cookie)

req.csrfToken = function csrfToken() {
return token || (token = saltedToken(secret));
return token || (token = tokens.create(secret));
};

@@ -97,3 +91,3 @@

// check
if (!checkToken(val, secret)) {
if (!val || !tokens.verify(secret, val)) {
var err = new Error('invalid csrf token');

@@ -125,61 +119,1 @@ err.status = 403;

}
/**
* Return salted token.
*
* @param {String} secret
* @return {String}
* @api private
*/
function saltedToken(secret) {
return createToken(generateSalt(10), secret);
}
/**
* Creates a CSRF token from a given salt and secret.
*
* @param {String} salt (should be 10 characters)
* @param {String} secret
* @return {String}
* @api private
*/
function createToken(salt, secret) {
return salt + crypto
.createHash('sha1')
.update(salt + secret)
.digest('base64');
}
/**
* Checks if a given CSRF token matches the given secret.
*
* @param {String} token
* @param {String} secret
* @return {Boolean}
* @api private
*/
function checkToken(token, secret) {
if ('string' != typeof token) return false;
return scmp(token, createToken(token.slice(0, 10), secret));
}
/**
* Generates a random salt, using a fast non-blocking PRNG (Math.random()).
*
* @param {Number} length
* @return {String}
* @api private
*/
function generateSalt(length) {
var i, r = [];
for (i = 0; i < length; ++i) {
r.push(SALTCHARS[Math.floor(Math.random() * SALTCHARS.length)]);
}
return r.join('');
}
var SALTCHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

5

package.json
{
"name": "csurf",
"description": "CSRF token middleware",
"version": "1.2.0",
"version": "1.2.1",
"author": {

@@ -14,4 +14,3 @@ "name": "Jonathan Ong",

"dependencies": {
"uid2": "~0.0.2",
"scmp": "~0.0.3"
"csrf-tokens": "~1.0.2"
},

@@ -18,0 +17,0 @@ "devDependencies": {

2

README.md

@@ -37,3 +37,3 @@ # csurf [![Build Status](https://travis-ci.org/expressjs/csurf.svg?branch=master)](https://travis-ci.org/expressjs/csurf) [![NPM Version](https://badge.fury.io/js/csurf.svg)](https://badge.fury.io/js/csurf)

### req.crsfToken()
### req.csrfToken()

@@ -40,0 +40,0 @@ Lazy-loads the token associated with the request.

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc