Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

koa-csrf

Package Overview
Dependencies
Maintainers
13
Versions
26
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

koa-csrf

CSRF tokens for Koa

  • 5.0.1
  • latest
  • Source
  • npm
  • Socket score
Version published
Weekly downloads
19K
decreased by-9.09%
Maintainers
13
Weekly downloads
 
Created
Source

koa-csrf

build status build status code style styled with prettier made with lass license

CSRF tokens for Koa

NOTE: As of v5.0.0+ ctx.csrf, ctx_csrf, and ctx.response.csrf are removed – instead use ctx.state._csrf. Furthermore we have dropped invalidTokenMessage and invalidTokenStatusCode in favor of an errorHandler function option.

Table of Contents

Install

npm:

npm install koa-csrf

Usage

  1. Add middleware in Koa app (see options below):

    const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const session = require('koa-generic-session');
const convert = require('koa-convert');
const CSRF = require('koa-csrf');

const app = new Koa();

// set the session keys
app.keys = [ 'a', 'b' ];

// add session support
app.use(convert(session()));

// add body parsing
app.use(bodyParser());

// add the CSRF middleware
app.use(new CSRF());

// your middleware here (e.g. parse a form submit)
app.use((ctx, next) => {
  if (![ 'GET', 'POST' ].includes(ctx.method))
    return next();
  if (ctx.method === 'GET') {
    ctx.body = ctx.state._csrf;
    return;
  }
  ctx.body = 'OK';
});

app.listen();

  2. Add the CSRF token in your template forms:

    Jade Template:

    form(action='/register', method='POST')
  input(type='hidden', name='_csrf', value=_csrf)
  input(type='email', name='email', placeholder='Email')
  input(type='password', name='password', placeholder='Password')
  button(type='submit') Register

    EJS Template:

    <form action="/register" method="POST">
  <input type="hidden" name="_csrf" value="<%= _csrf %>" />
  <input type="email" name="email" placeholder="Email" />
  <input type="password" name="password" placeholder="Password" />
  <button type="submit">Register</button>
</form>

Options

  • errorHandler (Function) - defaults to a function that returns ctx.throw(403, 'Invalid CSRF token')
  • excludedMethods (Array) - defaults to [ 'GET', 'HEAD', 'OPTIONS' ]
  • disableQuery (Boolean) - defaults to false
  • ignoredPathGlobs (Array) - defaults to an empty Array, but you can pass an Array of glob paths to ignore

Contributors

NameWebsite
Nick Baughhttps://github.com/niftylettuce
Imed Jaberihttps://www.3imed-jaberi.com/

License

MIT © Jonathan Ong

Keywords

FAQs

Package last updated on 02 Jul 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

PyPI on Ultralytics Supply Chain Attack: Poor CI/CD Practices to Blame, No Security Flaws in PyPI Exploited

Security News

PyPI on Ultralytics Supply Chain Attack: Poor CI/CD Practices to Blame, No Security Flaws in PyPI Exploited

PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.

By Sarah Gooding  -  Dec 13, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc