Comparing version 1.2.0 to 1.2.1
1.2.0 / 2014-05-13 | ||
================== | ||
* add support for double-submit cookie | ||
1.1.0 / 2014-04-06 | ||
@@ -3,0 +9,0 @@ ================== |
76
index.js
@@ -9,10 +9,2 @@ /*! | ||
/** | ||
* Module dependencies. | ||
*/ | ||
var uid = require('uid2'); | ||
var crypto = require('crypto'); | ||
var scmp = require('scmp'); | ||
/** | ||
* CSRF protection middleware. | ||
@@ -37,2 +29,4 @@ * | ||
var tokens = require('csrf-tokens')(options); | ||
if (cookie && typeof cookie !== 'object') | ||
@@ -64,3 +58,3 @@ cookie = {}; | ||
// generate secret | ||
uid(24, function(err, secret){ | ||
tokens.secret(function(err, secret){ | ||
if (err) return next(err); | ||
@@ -86,3 +80,3 @@ if (cookie) | ||
req.csrfToken = function csrfToken() { | ||
return token || (token = saltedToken(secret)); | ||
return token || (token = tokens.create(secret)); | ||
}; | ||
@@ -97,3 +91,3 @@ | ||
// check | ||
if (!checkToken(val, secret)) { | ||
if (!val || !tokens.verify(secret, val)) { | ||
var err = new Error('invalid csrf token'); | ||
@@ -125,61 +119,1 @@ err.status = 403; | ||
} | ||
/** | ||
* Return salted token. | ||
* | ||
* @param {String} secret | ||
* @return {String} | ||
* @api private | ||
*/ | ||
function saltedToken(secret) { | ||
return createToken(generateSalt(10), secret); | ||
} | ||
/** | ||
* Creates a CSRF token from a given salt and secret. | ||
* | ||
* @param {String} salt (should be 10 characters) | ||
* @param {String} secret | ||
* @return {String} | ||
* @api private | ||
*/ | ||
function createToken(salt, secret) { | ||
return salt + crypto | ||
.createHash('sha1') | ||
.update(salt + secret) | ||
.digest('base64'); | ||
} | ||
/** | ||
* Checks if a given CSRF token matches the given secret. | ||
* | ||
* @param {String} token | ||
* @param {String} secret | ||
* @return {Boolean} | ||
* @api private | ||
*/ | ||
function checkToken(token, secret) { | ||
if ('string' != typeof token) return false; | ||
return scmp(token, createToken(token.slice(0, 10), secret)); | ||
} | ||
/** | ||
* Generates a random salt, using a fast non-blocking PRNG (Math.random()). | ||
* | ||
* @param {Number} length | ||
* @return {String} | ||
* @api private | ||
*/ | ||
function generateSalt(length) { | ||
var i, r = []; | ||
for (i = 0; i < length; ++i) { | ||
r.push(SALTCHARS[Math.floor(Math.random() * SALTCHARS.length)]); | ||
} | ||
return r.join(''); | ||
} | ||
var SALTCHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; |
{ | ||
"name": "csurf", | ||
"description": "CSRF token middleware", | ||
"version": "1.2.0", | ||
"version": "1.2.1", | ||
"author": { | ||
@@ -14,4 +14,3 @@ "name": "Jonathan Ong", | ||
"dependencies": { | ||
"uid2": "~0.0.2", | ||
"scmp": "~0.0.3" | ||
"csrf-tokens": "~1.0.2" | ||
}, | ||
@@ -18,0 +17,0 @@ "devDependencies": { |
@@ -37,3 +37,3 @@ # csurf [![Build Status](https://travis-ci.org/expressjs/csurf.svg?branch=master)](https://travis-ci.org/expressjs/csurf) [![NPM Version](https://badge.fury.io/js/csurf.svg)](https://badge.fury.io/js/csurf) | ||
### req.crsfToken() | ||
### req.csrfToken() | ||
@@ -40,0 +40,0 @@ Lazy-loads the token associated with the request. |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
1
0
6661
98
+ Addedcsrf-tokens@~1.0.2
+ Addedcsrf-tokens@1.0.4(transitive)
+ Addedrndm@1.2.0(transitive)
- Removedscmp@~0.0.3
- Removeduid2@~0.0.2