Comparing version 1.2.2 to 1.3.0
@@ -0,2 +1,6 @@ | ||
1.3.0 / 2014-07-03 | ||
================== | ||
* add support for environments without `res.cookie` (connect@3) | ||
1.2.2 / 2014-06-18 | ||
@@ -3,0 +7,0 @@ ================== |
56
index.js
@@ -9,2 +9,10 @@ /*! | ||
/** | ||
* Module dependencies. | ||
*/ | ||
var Cookie = require('cookie'); | ||
var csrfTokens = require('csrf-tokens'); | ||
var sign = require('cookie-signature').sign; | ||
/** | ||
* CSRF protection middleware. | ||
@@ -35,3 +43,3 @@ * | ||
var tokens = require('csrf-tokens')(options); | ||
var tokens = csrfTokens(options); | ||
@@ -66,11 +74,20 @@ if (cookie && typeof cookie !== 'object') | ||
if (err) return next(err); | ||
if (cookie) | ||
res.cookie(cookieKey, secret, cookie); | ||
else if (req.session) | ||
if (cookie) { | ||
var cookieSecret = req.secret; | ||
var val = secret; | ||
if (signedCookie) { | ||
if (!cookieSecret) { | ||
var err = new Error('cookieParser("secret") required for signed cookies'); | ||
err.status = 500; | ||
next(err); | ||
return; | ||
} | ||
val = 's:' + sign(secret, cookieSecret); | ||
} | ||
setcookie(res, cookieKey, val, cookie); | ||
} else { | ||
req.session.csrfSecret = secret; | ||
else { | ||
var err = new Error('misconfigured csrf'); | ||
err.status = 500; | ||
next(err); | ||
return; | ||
} | ||
@@ -119,1 +136,22 @@ createToken(secret); | ||
} | ||
/** | ||
* Set a cookie on the HTTP response. | ||
* | ||
* @param {OutgoingMessage} res | ||
* @param {string} name | ||
* @param {string} val | ||
* @param {Object} [options] | ||
* @api private | ||
*/ | ||
function setcookie(res, name, val, options) { | ||
var data = Cookie.serialize(name, val, options); | ||
var prev = res.getHeader('set-cookie') || []; | ||
var header = Array.isArray(prev) ? prev.concat(data) | ||
: Array.isArray(data) ? [prev].concat(data) | ||
: [prev, data]; | ||
res.setHeader('set-cookie', header); | ||
} |
{ | ||
"name": "csurf", | ||
"description": "CSRF token middleware", | ||
"version": "1.2.2", | ||
"version": "1.3.0", | ||
"author": { | ||
@@ -14,12 +14,15 @@ "name": "Jonathan Ong", | ||
"dependencies": { | ||
"cookie": "0.1.2", | ||
"cookie-signature": "1.0.4", | ||
"csrf-tokens": "~2.0.0" | ||
}, | ||
"devDependencies": { | ||
"cookie-session": "*", | ||
"body-parser": "*", | ||
"cookie-parser": "*", | ||
"mocha": ">= 1.17.0 < 2", | ||
"should": ">= 3.0.0 < 4", | ||
"supertest": "*", | ||
"connect": "*" | ||
"body-parser": "~1.3.0", | ||
"connect": "3", | ||
"cookie-parser": "~1.3.1", | ||
"cookie-session": "~1.0.2", | ||
"istanbul": "0.2.14", | ||
"mocha": "~1.20.1", | ||
"should": "~4.0.4", | ||
"supertest": "~0.13.0" | ||
}, | ||
@@ -30,4 +33,6 @@ "engines": { | ||
"scripts": { | ||
"test": "NODE_ENV=test mocha --reporter spec --require should" | ||
"test": "mocha --check-leaks --reporter spec --bail test/", | ||
"test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --check-leaks --reporter dot test/", | ||
"test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --check-leaks --reporter spec test/" | ||
} | ||
} |
@@ -1,3 +0,7 @@ | ||
# csurf [![Build Status](https://travis-ci.org/expressjs/csurf.svg?branch=master)](https://travis-ci.org/expressjs/csurf) [![NPM Version](https://badge.fury.io/js/csurf.svg)](https://badge.fury.io/js/csurf) | ||
# csurf | ||
[![NPM Version](https://badge.fury.io/js/csurf.svg)](https://badge.fury.io/js/csurf) | ||
[![Build Status](https://travis-ci.org/expressjs/csurf.svg?branch=master)](https://travis-ci.org/expressjs/csurf) | ||
[![Coverage Status](https://img.shields.io/coveralls/expressjs/csurf.svg?branch=master)](https://coveralls.io/r/expressjs/csurf) | ||
Node.js [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) protection middleware. | ||
@@ -4,0 +8,0 @@ |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
8112
130
58
3
8
1
+ Addedcookie@0.1.2
+ Addedcookie-signature@1.0.4
+ Addedcookie@0.1.2(transitive)
+ Addedcookie-signature@1.0.4(transitive)