connect-csrf-lite v0.1.0
connect-csrf-lite
Basic CSRF validation middleware for Connect using csrf-lite. The implementation of CSRF token session storage and retrieval is left entirely up to you.
Installation
npm install connect-csrf-lite
Usage
var connect = require('connect');
var connectCsrf = require('connect-csrf-lite');
var utils = require('./utils');
var app = connect();
// Middleware to create/retrieve `req.csrfToken`. This example uses cookie sessions.
app.use(connect.cookieParser());
app.use(connect.cookieSession({ secret: 'my-secret' }));
app.use(function (req, res, next) {
if (!req.session.csrfToken) {
req.session.csrfToken = utils.createToken();
}
req.csrfToken = req.session.csrfToken;
next();
});
app.use(connectCsrf());
The middleware takes the token set at req.csrfToken
(configurable with the
tokenKey
option) and validates it against x-csrf-token
present in the
body (configurable with the dataKey
option) for all requests that mutate state.
If a CSRF token is not set on the request object, one will be created for you. You will still need to handle the session storage and retrieval for subsequent requests.
csrfInput()
A helper method to create a hidden input with the CSRF token is provided for
use in your forms (available at req.csrfToken
and res.locals.csrfToken
):
form
!= csrfInput()
input(type="submit")
Constructor Options
connectCsrf(options);
Pass an object on instantiation with any of the following options:
tokenKey
String
The key at which you have attached the csrf token onto thereq
object. Defaults tocsrfToken
.dataKey
String
The key on thereq
object where thex-csrf-token
key/value pair can be found. Examples areheaders
,query
, etc. Defaults tobody
.
10 years ago