csurf - npm Package Compare versions

Comparing version 1.6.6 to 1.7.0

HISTORY.md

		@@ -0,1 +1,15 @@
		1.7.0 / 2015-02-15
		==================

		* Accept `CSRF-Token` and `XSRF-Token` request headers
		* Default `cookie.path` to `'/'`, if using cookies
		* deps: cookie-signature@1.0.6
		* deps: csrf@~2.0.6
		- deps: base64-url@1.2.1
		- deps: uid-safe@~1.1.0
		* deps: http-errors@~1.3.1
		- Construct errors using defined constructors from `createError`
		- Fix error names that are not identifiers
		- Set a meaningful `name` property on constructed errors

		1.6.6 / 2015-01-31
		@@ -2,0 +16,0 @@ ==================

index.js

		@@ -5,3 +5,3 @@ /*!
		* Copyright(c) 2014 Jonathan Ong
		* Copyright(c) 2014 Douglas Christopher Wilson
		* Copyright(c) 2014-2015 Douglas Christopher Wilson
		* MIT Licensed
		@@ -36,5 +36,3 @@ */
		// get cookie options
		var cookie = options.cookie !== true
		? options.cookie \|\| undefined
		: {}
		var cookie = getCookieOptions(options.cookie)

		@@ -47,7 +45,2 @@ // get value getter

		// default cookie key
		if (cookie && !cookie.key) {
		cookie.key = '_csrf'
		}

		// ignored methods
		@@ -122,2 +115,4 @@ var ignoreMethods = options.ignoreMethods === undefined
		\|\| (req.query && req.query._csrf)
		\|\| (req.headers['csrf-token'])
		\|\| (req.headers['xsrf-token'])
		\|\| (req.headers['x-csrf-token'])
		@@ -128,2 +123,33 @@ \|\| (req.headers['x-xsrf-token']);
		/**
		* Get options for cookie.
		*
		* @param {boolean\|object} [options]
		* @returns {object}
		* @api private
		*/

		function getCookieOptions(options) {
		if (options !== true && typeof options !== 'object') {
		return undefined
		}

		var opts = {
		key: '_csrf',
		path: '/'
		}

		if (options && typeof options === 'object') {
		for (var prop in options) {
		var val = options[prop]

		if (val !== undefined) {
		opts[prop] = val
		}
		}
		}

		return opts
		}

		/**
		* Get a lookup of ignored methods.
		@@ -130,0 +156,0 @@ *

package.json

		{
		"name": "csurf",
		"description": "CSRF token middleware",
		"version": "1.6.6",
		"version": "1.7.0",
		"author": "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)",
		@@ -13,10 +13,10 @@ "contributors": [
		"cookie": "0.1.2",
		"cookie-signature": "1.0.5",
		"csrf": "~2.0.5",
		"http-errors": "~1.2.8"
		"cookie-signature": "1.0.6",
		"csrf": "~2.0.6",
		"http-errors": "~1.3.1"
		},
		"devDependencies": {
		"body-parser": "~1.11.0",
		"body-parser": "~1.12.0",
		"connect": "3",
		"cookie-parser": "~1.3.3",
		"cookie-parser": "~1.3.4",
		"cookie-session": "~1.1.0",
		@@ -23,0 +23,0 @@ "istanbul": "0.3.5",

119

README.md

		@@ -7,2 +7,3 @@ # csurf
		[![Test coverage][coveralls-image]][coveralls-url]
		[![Gratipay][gratipay-image]][gratipay-url]

		@@ -18,3 +19,3 @@ Node.js [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) protection middleware.

		### Install
		## Installation

		@@ -28,27 +29,57 @@ ```sh
		```js
		var csrf = require('csurf')
		var csurf = require('csurf')
		```

		### csrf(options)
		### csurf([options])

		This middleware adds a `req.csrfToken()` function to make a token which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor's session or csrf cookie.
		Create a middleware for CSRF token creation and validation. This middleware
		adds a `req.csrfToken()` function to make a token which should be added to
		requests which mutate state, within a hidden form field, query-string etc.
		This token is validated against the visitor's session or csrf cookie.

		#### Options

		- `value` a function accepting the request, returning the token.
		- The default function checks four possible token locations:
		- `_csrf` parameter in `req.body` generated by the `body-parser` middleware.
		- `_csrf` parameter in `req.query` generated by `query()`.
		- `x-csrf-token` and `x-xsrf-token` header fields.
		- `cookie` set to a truthy value to enable cookie-based instead of session-based csrf secret storage.
		- If `cookie` is an object, these options can be configured, otherwise defaults are used:
		- `key` the name of the cookie to use (defaults to `_csrf`) to store the csrf secret
		- any other [res.cookie](http://expressjs.com/4x/api.html#res.cookie) options can be set
		- `ignoreMethods` An array of the methods CSRF token checking will disabled.
		(default: `['GET', 'HEAD', 'OPTIONS']`)
		The `csurf` function takes an optional `options` object that may contain
		any of the following keys:

		### req.csrfToken()
		##### cookie

		Lazy-loads the token associated with the request.
		Determines if the token secret for the user should be stored in a cookie
		(when set to `true` or an object, requires a cookie parsing module) or in
		`req.session` (when set to `false`, provided by another module). Defaults
		to `false`.

		When set to an object, cookie storage of the secret is enabled and the
		object contains options for this functionality (when set to `true`, the
		defaults for the options are used). The options may contain any of the
		following keys:

		- `key` - the name of the cookie to use to store the token secret
		(defaults to `'_csrf'`).
		- `path` - the path of the cookie (defaults to `'/'`).
		- any other [res.cookie](http://expressjs.com/4x/api.html#res.cookie)
		option can be set.

		##### ignoreMethods

		An array of the methods for which CSRF token checking will disabled.
		Defaults to `['GET', 'HEAD', 'OPTIONS']`.

		##### value

		Provide a function that the middleware will invoke to read the token from
		the request for validation. The function is called as `value(req)` and is
		expected to return the token as a string.

		The default value is a function that reads the token from the following
		locations, in order:

		- `req.body._csrf` - typically generated by the `body-parser` module.
		- `req.query._csrf` - a built-in from Express.js to read from the URL
		query string.
		- `req.headers['csrf-token']` - the `CSRF-Token` HTTP request header.
		- `req.headers['xsrf-token']` - the `XSRF-Token` HTTP request header.
		- `req.headers['x-csrf-token']` - the `X-CSRF-Token` HTTP request header.
		- `req.headers['x-xsrf-token']` - the `X-XSRF-Token` HTTP request header.

		## Example
		@@ -58,24 +89,28 @@

		The following is an example of some server-side code that protects all
		non-GET/HEAD/OPTIONS routes with a CSRF token.
		The following is an example of some server-side code that generates a form
		that requires a CSRF token to post back.

		```js
		var cookieParser = require('cookie-parser')
		var csrf = require('csurf')
		var bodyParser = require('body-parser')
		var express = require('express')
		var csrf = require('csurf')

		// setup route middlewares
		var csrfProtection = csrf({ cookie: true })
		var parseForm = bodyparser.urlencoded({ extended: false })

		// create express app
		var app = express()
		app.use(csrf())

		// error handler
		app.use(function (err, req, res, next) {
		if (err.code !== 'EBADCSRFTOKEN') return next(err)
		// parse cookies
		app.use(cookieParser())

		// handle CSRF token errors here
		res.status(403)
		res.send('session has expired or form tampered with')
		app.get('/form', csrfProtection, function(req, res) {
		// pass the csrfToken to the view
		res.render('send', { csrfToken: req.csrfToken() })
		})

		// pass the csrfToken to the view
		app.get('/form', function(req, res) {
		res.render('send', { csrfToken: req.csrfToken() })
		app.post('/process', parseForm, csrfProtection, function(req, res) {
		res.send('data is being processed')
		})
		@@ -99,8 +134,16 @@ ```

		When the CSRF token validation fails, an error is thrown that has
		`err.code === 'EBADCSRFTOKEN'`. This can be used to display custom
		error messages.

		```js
		var bodyParser = require('body-parser')
		var cookieParser = require('cookie-parser')
		var csrf = require('csurf')
		var express = require('express')
		var csrf = require('csurf')

		var app = express()
		app.use(csrf())
		app.use(bodyParser.urlencoded({ extended: false }))
		app.use(cookieParser())
		app.use(csrf({ cookie: true }))

		@@ -113,3 +156,3 @@ // error handler
		res.status(403)
		res.send('session has expired or form tampered with')
		res.send('form tampered with')
		})
		@@ -122,9 +165,11 @@ ```

		[npm-image]: https://img.shields.io/npm/v/csurf.svg?style=flat
		[npm-image]: https://img.shields.io/npm/v/csurf.svg
		[npm-url]: https://npmjs.org/package/csurf
		[travis-image]: https://img.shields.io/travis/expressjs/csurf.svg?style=flat
		[travis-image]: https://img.shields.io/travis/expressjs/csurf/master.svg
		[travis-url]: https://travis-ci.org/expressjs/csurf
		[coveralls-image]: https://img.shields.io/coveralls/expressjs/csurf.svg?style=flat
		[coveralls-image]: https://img.shields.io/coveralls/expressjs/csurf/master.svg
		[coveralls-url]: https://coveralls.io/r/expressjs/csurf?branch=master
		[downloads-image]: https://img.shields.io/npm/dm/csurf.svg?style=flat
		[downloads-image]: https://img.shields.io/npm/dm/csurf.svg
		[downloads-url]: https://npmjs.org/package/csurf
		[gratipay-image]: https://img.shields.io/gratipay/dougwilson.svg
		[gratipay-url]: https://gratipay.com/dougwilson/

LICENSE

Sorry, the diff of this file is not supported yet

csurf - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Dependency changes