csurf - npm Package Compare versions

Comparing version 1.7.0 to 1.8.0

HISTORY.md

		@@ -0,1 +1,6 @@
		1.8.0 / 2015-04-07
		==================

		* Add `sessionKey` option

		1.7.0 / 2015-02-15
		@@ -2,0 +7,0 @@ ==================

index.js

		@@ -37,2 +37,5 @@ /*!

		// get session options
		var sessionKey = options.sessionKey \|\| 'session'

		// get value getter
		@@ -57,3 +60,3 @@ var value = options.value \|\| defaultValue
		return function csrf(req, res, next) {
		var secret = getsecret(req, cookie)
		var secret = getsecret(req, sessionKey, cookie)
		var token
		@@ -64,3 +67,3 @@
		var sec = !cookie
		? getsecret(req, cookie)
		? getsecret(req, sessionKey, cookie)
		: secret
		@@ -76,3 +79,3 @@
		sec = tokens.secretSync()
		setsecret(req, res, sec, cookie)
		setsecret(req, res, sessionKey, sec, cookie)
		}
		@@ -92,3 +95,3 @@
		secret = tokens.secretSync()
		setsecret(req, res, secret, cookie)
		setsecret(req, res, sessionKey, secret, cookie)
		}
		@@ -177,2 +180,3 @@
		* @param {IncomingMessage} req
		* @param {String} sessionKey
		* @param {Object} [cookie]
		@@ -182,3 +186,3 @@ * @api private

		function getsecret(req, cookie) {
		function getsecret(req, sessionKey, cookie) {
		var secret
		@@ -193,5 +197,5 @@
		secret = req[bag][cookie.key]
		} else if (req.session) {
		} else if (req[sessionKey]) {
		// get secret from session
		secret = req.session.csrfSecret
		secret = req[sessionKey].csrfSecret
		} else {
		@@ -230,2 +234,3 @@ throw new Error('misconfigured csrf')
		* @param {OutgoingMessage} res
		* @param {string} sessionKey
		* @param {string} val
		@@ -236,3 +241,3 @@ * @param {Object} [cookie]

		function setsecret(req, res, val, cookie) {
		function setsecret(req, res, sessionKey, val, cookie) {
		if (cookie) {
		@@ -251,5 +256,5 @@ // set secret on cookie
		setcookie(res, cookie.key, val, cookie);
		} else if (req.session) {
		} else if (req[sessionKey]) {
		// set secret on session
		req.session.csrfSecret = val
		req[sessionKey].csrfSecret = val
		} else {
		@@ -256,0 +261,0 @@ /* istanbul ignore next: should never actually run */

package.json

		{
		"name": "csurf",
		"description": "CSRF token middleware",
		"version": "1.7.0",
		"version": "1.8.0",
		"author": "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)",
		@@ -18,3 +18,3 @@ "contributors": [
		"devDependencies": {
		"body-parser": "~1.12.0",
		"body-parser": "~1.12.2",
		"connect": "3",
		@@ -24,3 +24,3 @@ "cookie-parser": "~1.3.4",
		"istanbul": "0.3.5",
		"mocha": "~2.1.0",
		"mocha": "~2.2.1",
		"supertest": "~0.15.0"
		@@ -27,0 +27,0 @@ },

README.md

		@@ -12,5 +12,10 @@ # csurf
		Requires either a session middleware or [cookie-parser](https://www.npmjs.com/package/cookie-parser) to be initialized first.
		- [express-session](https://www.npmjs.com/package/express-session)
		- [cookie-session](https://www.npmjs.com/package/cookie-session)

		* If you are setting the ["cookie" option](#cookie) to a non-`false` value,
		then you must use [cookie-parser](https://www.npmjs.com/package/cookie-parser)
		before this module.
		* Otherwise, you must use a session middleware before this module. For example:
		- [express-session](https://www.npmjs.com/package/express-session)
		- [cookie-session](https://www.npmjs.com/package/cookie-session)

		If you have questions on how this module is implemented, please read
		@@ -46,6 +51,10 @@ [Understanding CSRF](https://github.com/pillarjs/understanding-csrf).
		Determines if the token secret for the user should be stored in a cookie
		(when set to `true` or an object, requires a cookie parsing module) or in
		`req.session` (when set to `false`, provided by another module). Defaults
		to `false`.
		or in `req.session`. Defaults to `false`.

		When set to `true` (or an object of options for the cookie), then the module
		changes behavior and no longer uses `req.session`. This means you _are no
		longer required to use a session middleware_. Instead, you do need to use the
		[cookie-parser](https://www.npmjs.com/package/cookie-parser) middleware in
		your app before this middleware.

		When set to an object, cookie storage of the secret is enabled and the
		@@ -67,2 +76,11 @@ object contains options for this functionality (when set to `true`, the

		##### sessionKey

		Determines what property ("key") on `req` the session object is located.
		Defaults to `'session'` (i.e. looks at `req.session`). The CSRF secret
		from this library is stored and read as `req[sessionKey].csrfSecret`.

		If the ["cookie" option](#cookie) is not `false`, then this option does
		nothing.

		##### value
		@@ -100,3 +118,3 @@
		var csrfProtection = csrf({ cookie: true })
		var parseForm = bodyparser.urlencoded({ extended: false })
		var parseForm = bodyParser.urlencoded({ extended: false })

		@@ -107,2 +125,3 @@ // create express app
		// parse cookies
		// we need this because "cookie" is true in csrfProtection
		app.use(cookieParser())
		@@ -109,0 +128,0 @@

csurf - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics