1.1.2 • Published 3 months ago

nest-csrf-protection v1.1.2

Weekly downloads
-
License
MIT
Repository
github
Last release
3 months ago

nestjs-csrf-protection

Installs csrf protection module, controller, service and guard

This packages provides the module, the service, the controller and the guard to implement a correct csrf protection int a Nestjs context api

Nestjs Csrf Protection

Features

  • Dynamic module allowing custom configuration (secret, cookie name, URL to retrieve the token, etc.).
  • Controller exposing an endpoint to get the CSRF token.
  • Service for generating and verifying tokens (based on csrf-csrf).
  • Guard to easily secure your NestJS routes against CSRF attacks.

Prerequisites

This package requires that you load the following packages:

@nestjs/config

    npm install @nestjs/config

coockie parser:

    npm install cookie-parser

Then inside your .env file you must register these 3 required keys:

    CSRF_SECRET = "L7xD1hBK09ksPSmfot6YFHkbfLcrBMH2uiivTgvJeoStkBFc"
    COOKIES_SECRET = "iIILzFGHr5qCJHsNzjHwnAz2p6PulwiGvJPUuoyY7506"

    # for production:
    # CSRF_COOKIE_NAME="__Host-dx.x-csrf-token"

    #for swagger testing:
    CSRF_COOKIE_NAME="Host-dx.x-csrf-token"

Configuration

In the "main.ts file" : 

    app.use(cookieParser(process.env.COOKIES_SECRET));

then in "app.module.ts" : 

import { ConfigModule } from '@nestjs/config';

...

@Module({
  imports: [
    ConfigModule.forRoot({
      isGlobal: true,
    }),
//...

Package installation

You may then install the package:

    npm install --save nest-csrf-protection

Then you may configure the module inside your app.module.ts: 

CsrfModule.forRoot({
    secret: process.env.CSRF_SECRET,
    cookieName: process.env.CSRF_COOKIE_NAME,
    url: '/get-csrf-token', // define the url segment for the route where you request a token
})

When making a GET request to the csrf url you will define for the csrf module, you will receive the token in the response body AND a hash of the token in a cookie.

Your front app will have to retrieve the token and place it inside a header name; "x-csrf-token" before you can make a call to a csrf protected route.

Route protection

To protect a route, use the CsrfGuard:

@UseGuards(CsrfGuard)
@Post('/test-csrf')
testCsrf(): { message: string } {
    return { message: 'CSRF token is valid' };
}

Happy coding !!

nestjscsrfguardservicecontroller
@nestjs/common@nestjs/config@nestjs/corecookie-parsercsrf-csrfexpress
1.1.2

3 months ago

1.1.1

3 months ago

1.1.0

3 months ago