type-graphql-csrf-middleware
TypeGraphQL middleware for handling csrf tokens with an express server and express-session.
Required Peer Dependencies:
- express
- express-session
- crsf
- cookie-parser
- graphql
- type-graphql
Installation
npm install type-graphql-csrf-middleware
yarn add type-graphql-csrf-middlewareimport { ValidAntiForgeryToken } from "type-graphql-csrf-middleware";Getting Started
Your express server will need to add a csrf token as a cookie and a csrf secret to the session. Below is an example express route middleware to add the tokens.
const addCsrf = (req: Request, res: Response, next: NextFunction) => {
const tokens = new Tokens();
const secret = tokens.secretSync();
const token = tokens.create(secret);
res.cookie("csrfToken", token);
req.session.csrfSecret = secret;
next();
};Resolver Middleware Use
The type-graphql middleware needs a cookie key and a session key that are used in your express route middleware function like the previous example in order to verify the token.
import { ValidAntiForgeryToken } from "type-graphql-csrf-middleware";
@Resolver(User)
export class UserResolver {
@Query(() => User)
@UseMiddleware(ValidAntiForgeryToken({ cookieKey: "csrfToken", secretKey: "csrfSecret" }))
async me(@Ctx() ctx: MyContext): Promise<User | undefined> {
{...}
}
}The middleware can also be reusable between resolver functions.
import { ValidAntiForgeryToken } from "type-graphql-csrf-middleware";
const Authorized = ValidAntiForgeryToken({
cookieKey: "csrfToken",
secretKey: "csrfSecret",
message: "Access Denied!"
});
{...}
@Resolver(User)
export class UserResolver {
@Query(() => User)
@UseMiddleware(Authorized)
async me(@Ctx() ctx: MyContext): Promise<User | undefined> {
{...}
}
}