Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

csurf

Package Overview
Dependencies
Maintainers
6
Versions
29
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

csurf - npm Package Compare versions

Comparing version 1.6.1 to 1.6.2

6

HISTORY.md

@@ -0,1 +1,7 @@

1.6.2 / 2014-10-14
==================
* bump http-errors
* fix cookie name when using `cookie: true`
1.6.1 / 2014-09-05

@@ -2,0 +8,0 @@ ==================

31

index.js

@@ -15,2 +15,3 @@ /*!

var csrfTokens = require('csrf');
var createError = require('http-errors');
var sign = require('cookie-signature').sign;

@@ -34,2 +35,7 @@

// get cookie options
var cookie = options.cookie !== true
? options.cookie || undefined
: {}
// get value getter

@@ -42,4 +48,4 @@ var value = options.value || defaultValue

// default cookie key
if (options.cookie && !options.cookie.key) {
options.cookie.key = '_csrf'
if (cookie && !cookie.key) {
cookie.key = '_csrf'
}

@@ -60,3 +66,3 @@

return function csrf(req, res, next) {
var secret = getsecret(req, options.cookie)
var secret = getsecret(req, cookie)
var token

@@ -66,4 +72,4 @@

req.csrfToken = function csrfToken() {
var sec = !options.cookie
? getsecret(req, options.cookie)
var sec = !cookie
? getsecret(req, cookie)
: secret

@@ -79,3 +85,3 @@

sec = tokens.secretSync()
setsecret(req, res, sec, options.cookie)
setsecret(req, res, sec, cookie)
}

@@ -95,3 +101,3 @@

secret = tokens.secretSync()
setsecret(req, res, secret, options.cookie)
setsecret(req, res, secret, cookie)
}

@@ -237,10 +243,7 @@

// valid token
if (tokens.verify(secret, val)) {
return
if (!tokens.verify(secret, val)) {
throw createError(403, 'invalid csrf token', {
code: 'EBADCSRFTOKEN'
});
}
var err = new Error('invalid csrf token')
err.status = 403
err.code = 'EBADCSRFTOKEN'
throw err
}

7

package.json
{
"name": "csurf",
"description": "CSRF token middleware",
"version": "1.6.1",
"version": "1.6.2",
"author": "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)",

@@ -14,3 +14,4 @@ "contributors": [

"cookie-signature": "1.0.5",
"csrf": "~2.0.1"
"csrf": "~2.0.1",
"http-errors": "~1.2.6"
},

@@ -25,3 +26,3 @@ "devDependencies": {

"should": "~4.0.4",
"supertest": "~0.13.0"
"supertest": "~0.14.0"
},

@@ -28,0 +29,0 @@ "engines": {

42

README.md

@@ -50,2 +50,7 @@ # csurf

### Simple express example
The following is an example of some server-side code that protects all
non-GET/HEAD/OPTIONS routes with a CSRF token.
```js

@@ -66,4 +71,41 @@ var express = require('express')

})
// pass the csrfToken to the view
app.get('/form', function(req, res) {
res.render('send', { csrfToken: req.csrfToken() })
})
```
Inside the view (depending on your template language; handlebars-style
is demonstrated here), set the `csrfToken` value as the value of a hidden
input field named `_csrf`:
```html
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
Favorite color: <input type="text" name="favoriteColor">
<button type="submit">Submit</button>
</form>
```
### Custom error handling
```js
var express = require('express')
var csrf = require('csurf')
var app = express()
app.use(csrf())
// error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
res.send('session has expired or form tampered with')
})
```
## License

@@ -70,0 +112,0 @@

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc