UNPKG

@edge-csrf/node-http

Version:

Edge-CSRF integration library for node's http module

github.com/kubetail-org/edge-csrf

kubetail-org/edge-csrf

147 lines (116 loc) 3.42 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Node-HTTP This is the documentation for Edge-CSRF's Node built-in http module integration. ## Quickstart First, add the integration library as a dependency: ```console npm install @edge-csrf/node-http # or pnpm add @edge-csrf/node-http # or yarn add @edge-csrf/node-http ``` Next, add the Edge-CSRF CSRF protection function to your app: ```javascript // server.js import { createServer } from 'http'; import { createCsrfProtect } from '@edge-csrf/node-http'; // initalize csrf protection middleware const csrfProtect = createCsrfProtect({ cookie: { secure: process.env.NODE_ENV === 'production', }, }); // init server const server = createServer(async (req, res) => { // apply csrf protection try { await csrfProtect(req, res); } catch (err) { if (err instanceof CsrfError) { res.writeHead(403); res.end('invalid csrf token'); return; } throw err; } // add handler if (req.url === '/') { if (req.method === 'GET') { const csrfToken = res.getHeader('X-CSRF-Token') || 'missing'; res.writeHead(200, { 'Content-Type': 'text/html' }); res.end(` <!doctype html> <html> <body> <form action="/" method="post"> <legend>Form with CSRF (should succeed):</legend> <input type="hidden" name="csrf_token" value="${csrfToken}" /> <input type="text" name="input1" /> <button type="submit">Submit</button> </form> </body> </html> `); return; } if (req.method === 'POST') { res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('success'); return; } } res.writeHead(404); res.end('not found'); }); // start server server.listen(3000, () => { console.log('Server is listening on port 3000'); }); ``` With the CSRF protection method, all HTTP submission requests (e.g. POST, PUT, DELETE, PATCH) will be rejected if they do not include a valid CSRF token. ## Example Check out the example Node-HTTP server in this repository: [Node-HTTP example](examples/node-http). ## Configuration ```javascript // default config { cookie: { name: '_csrfSecret', path: '/', maxAge: undefined, domain: '', secure: true, httpOnly: true, sameSite: 'strict' }, excludePathPrefixes: [], ignoreMethods: ['GET', 'HEAD', 'OPTIONS'], saltByteLength: 8, secretByteLength: 18, token: { fieldName: 'csrf_token', responseHeader: 'X-CSRF-Token' } } ``` ## API The following are named exports in the the `@edge-csrf/node-http` module: ### Types ``` NodeHttpCsrfProtect - A function that implements CSRF protection for Node http requests * @param {IncomingMessage} request - The Node HTTP module request instance * @param {ServerResponse} response - The Node HTTP module response instance * @returns {Promise<void>} - The function completed successfully * @throws {CsrfError} - The function encountered a CSRF error ``` ### Classes ``` CsrfError - A class that inherits from Error and represents CSRF errors ``` ### Methods ``` createCsrfProtect([, options]) - Create a function that can be used inside Node HTTP handlers to implement CSRF protection for requests * @param {object} options - The configuration options * @returns {NodeHttpCsrfProtect} - The CSRF protection function ```