Neatly Positioned Magazines

    connect-csrf-lite

    0.1.0 • Public • Published

    connect-csrf-lite Build status

    Basic CSRF validation middleware for Connect using csrf-lite. The implementation of CSRF token session storage and retrieval is left entirely up to you.

    Installation

    npm install connect-csrf-lite

    Usage

    var connect = require('connect');
    var connectCsrf = require('connect-csrf-lite');
    var utils = require('./utils');
    var app = connect();
     
    // Middleware to create/retrieve `req.csrfToken`. This example uses cookie sessions.
    app.use(connect.cookieParser());
    app.use(connect.cookieSession({ secret: 'my-secret' }));
    app.use(function (req, res, next) {
      if (!req.session.csrfToken) {
        req.session.csrfToken = utils.createToken();
      }
      req.csrfToken = req.session.csrfToken;
      next();
    });
     
    app.use(connectCsrf());

    The middleware takes the token set at req.csrfToken (configurable with the tokenKey option) and validates it against x-csrf-token present in the body (configurable with the dataKey option) for all requests that mutate state.

    If a CSRF token is not set on the request object, one will be created for you. You will still need to handle the session storage and retrieval for subsequent requests.

    csrfInput()

    A helper method to create a hidden input with the CSRF token is provided for use in your forms (available at req.csrfToken and res.locals.csrfToken):

    form
      != csrfInput()
      input(type="submit")

    Constructor Options

    connectCsrf(options);

    Pass an object on instantiation with any of the following options:

    • tokenKey String The key at which you have attached the csrf token onto the req object. Defaults to csrfToken.

    • dataKey String The key on the req object where the x-csrf-token key/value pair can be found. Examples are headers, query, etc. Defaults to body.

    Keywords

    none

    Install

    npm i connect-csrf-lite

    DownloadsWeekly Downloads

    11

    Version

    0.1.0

    License

    none

    Last publish

    Collaborators

    • mlmorg