@mashroom/mashroom-csrf-protection v2.6.1

Mashroom CSRF Protection

Plugin for Mashroom Server, a Microfrontend Integration Platform.

If you add this plugin all updating HTTP methods (such as POST, PUT and DELETE) must contain a CSRF token automatically generated for the session. Otherwise, the request will be rejected.

There are two ways to pass the token:

• As HTTP header X-CSRF-Token
• As query parameter csrfToken

You can use the MashroomCSRFService to get the current token.

Mashroom Portal automatically uses this plugin to secure all requests if available.

Usage

If node_modules/@mashroom is configured as plugin path just add @mashroom/mashroom-csrf-protection as dependency.

After that you can use the service like this:

import type {MashroomCacheControlService} from '@mashroom/mashroom-csrf-protection/type-definitions';

export default (req: Request, res: Response) => {

    const csrfService: MashroomCacheControlService = req.pluginContext.services.csrf.service;
    const token = csrfService.getCSRFToken(req);

    // ...
}

You can override the default config in your Mashroom config file like this:

{
  "plugins": {
        "Mashroom CSRF Middleware": {
            "safeMethods": ["GET", "HEAD", "OPTIONS"]
        },
        "Mashroom CSRF Services": {
            "saltLength": 8,
            "secretLength": 18
        }
    }
}

• safeMethods: List of HTTP methods that require no CSRF token check (Default: "GET", "HEAD", "OPTIONS").
• saltLength and secretLength are passed to the csrf package.

Services

MashroomCSRFService

The exposed service is accessible through pluginContext.services.csrf.service

Interface:

export interface MashroomCSRFService {

    /**
     * Get the current CSRF token for this session
     */
    getCSRFToken(request: Request): string;

    /**
     * Check if the given token is valid
     */
    isValidCSRFToken(request: Request, token: string): boolean;
}