npm
Sign UpSign In

This package has been deprecated

Author message:

Please use SameSite lax or strict see <https://scotthelme.co.uk/csrf-is-dead/> and example usage of in @forwardemail codebase <https://github.com/forwardemail/forwardemail.net/blob/040c07f076642ddd3a1a09c63c4252609a4bc52e/config/cookies.js\#L12-L16>

koa-csrf
DefinitelyTyped icon, indicating that this package has TypeScript declarations provided by the separate @types/koa-csrf package

5.0.1 • Public • Published

koa-csrf

build status build status code style styled with prettier made with lass license

CSRF tokens for Koa

NOTE: As of v5.0.0+ ctx.csrf, ctx_csrf, and ctx.response.csrf are removed – instead use ctx.state._csrf. Furthermore we have dropped invalidTokenMessage and invalidTokenStatusCode in favor of an errorHandler function option.

Table of Contents

Install

npm:

npm install koa-csrf

Usage

  1. Add middleware in Koa app (see options below):

    const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const session = require('koa-generic-session');
const convert = require('koa-convert');
const CSRF = require('koa-csrf');

const app = new Koa();

// set the session keys
app.keys = [ 'a', 'b' ];

// add session support
app.use(convert(session()));

// add body parsing
app.use(bodyParser());

// add the CSRF middleware
app.use(new CSRF());

// your middleware here (e.g. parse a form submit)
app.use((ctx, next) => {
  if (![ 'GET', 'POST' ].includes(ctx.method))
    return next();
  if (ctx.method === 'GET') {
    ctx.body = ctx.state._csrf;
    return;
  }
  ctx.body = 'OK';
});

app.listen();

  2. Add the CSRF token in your template forms:

    Jade Template:

    form(action='/register', method='POST')
  input(type='hidden', name='_csrf', value=_csrf)
  input(type='email', name='email', placeholder='Email')
  input(type='password', name='password', placeholder='Password')
  button(type='submit') Register

    EJS Template:

    <form action="/register" method="POST">
  <input type="hidden" name="_csrf" value="<%= _csrf %>" />
  <input type="email" name="email" placeholder="Email" />
  <input type="password" name="password" placeholder="Password" />
  <button type="submit">Register</button>
</form>

Options

  • errorHandler (Function) - defaults to a function that returns ctx.throw(403, 'Invalid CSRF token')
  • excludedMethods (Array) - defaults to [ 'GET', 'HEAD', 'OPTIONS' ]
  • disableQuery (Boolean) - defaults to false
  • ignoredPathGlobs (Array) - defaults to an empty Array, but you can pass an Array of glob paths to ignore

Contributors

Name Website
Nick Baugh https://github.com/niftylettuce
Imed Jaberi https://www.3imed-jaberi.com/

License

MIT © Jonathan Ong

Readme

Keywords

Package Sidebar

Install

npm i koa-csrf

Repository

github.com/koajs/csrf

Homepage

github.com/koajs/csrf

Weekly Downloads

30,778

Version

5.0.1

License

MIT

Unpacked Size

7.9 kB

Total Files

4

Last publish

Collaborators

  • aaron
  • coderhaoxin
  • dead_horse
  • dead-horse
  • eivifj
  • fengmk2
  • jongleberry
  • juliangruber
  • niftylettuce
  • popomore
  • stephenmathieson
  • titanism
  • tjholowaychuk
Try on RunKit
Report malware