koa-csrf
CSRF tokens for Koa
Table of Contents
Install
For versions of Koa <2.x please use koa-csrf@2.x
npm:
npm install koa-csrf
yarn:
yarn add koa-csrf
Usage
-
Add middleware in Koa app (default options are shown):
const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const session = require('koa-generic-session');
const convert = require('koa-convert');
const CSRF = require('koa-csrf');
const app = new Koa();
app.keys = [ 'a', 'b' ];
app.use(convert(session()));
app.use(bodyParser());
app.use(new CSRF({
invalidTokenMessage: 'Invalid CSRF token',
invalidTokenStatusCode: 403,
excludedMethods: [ 'GET', 'HEAD', 'OPTIONS' ],
disableQuery: false
}));
app.use((ctx, next) => {
if (![ 'GET', 'POST' ].includes(ctx.method))
return next();
if (ctx.method === 'GET') {
ctx.body = ctx.csrf;
return;
}
ctx.body = 'OK';
});
app.listen();
-
Add the CSRF token in your template forms:
Jade Template:
form(action='/register', method='POST')
input(type='hidden', name='_csrf', value=csrf)
input(type='email', name='email', placeholder='Email')
input(type='password', name='password', placeholder='Password')
button(type='submit') Register
EJS Template:
<form action="/register" method="POST">
<input type="hidden" name="_csrf" value="<%= csrf %>" />
<input type="email" name="email" placeholder="Email" />
<input type="password" name="password" placeholder="Password" />
<button type="submit">Register</button>
</form>
Options
invalidTokenMessage
(String or Function) - defaults to Invalid CSRF token
, but can also be a function that accepts one argument ctx
(useful for i18n translation, e.g. using ctx.request.t('some message')
via @ladjs/i18ninvalidTokenStatusCode
(Number) - defaults to 403
excludedMethods
(Array) - defaults to [ 'GET', 'HEAD', 'OPTIONS' ]
disableQuery
(Boolean) - defaults to false
Open Source Contributor Requests
Contributors
License
MIT © Jonathan Ong