UNPKG

@nartix/next-csrf

Version:

A CSRF protection middleware for Next.js

github.com/nartix/next-csrf

nartix/next-csrf

76 lines (55 loc) 2.27 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# Next CSRF A lightweight CSRF protection middleware for Next.js on the Edge Runtime. It performs a **double check** on the CSRF token by comparing the token from the request body or headers with the token stored in the cookie. You can access the token via **request header** or by reading the **cookie** value. ## Installation ```bash npm install @nartix/next-csrf ``` ## Quick Start Below is a minimal example of how to integrate this middleware in a Next.js app: ```typescript // middleware.ts (or middleware.js) import { NextRequest, NextResponse } from 'next/server'; import { createNextCsrfMiddleware } from '@nartix/next-csrf'; export async function middleware(req: NextRequest) { const res = NextResponse.next(); // Provide any custom options here const csrfOptions = { secret: 'your-secret-key', // Required // Additional options can be specified }; return createNextCsrfMiddleware(req, res, csrfOptions); } ``` ## Default Configuration Below is an example of the default configuration. You can override any of these options in the middleware: ```js // default config { headerName: 'X-CSRF-TOKEN', formFieldName: 'csrf_token', excludeMethods: ['GET', 'HEAD', 'OPTIONS'], algorithm: 'SHA-256', tokenByteLength: 32, separator: '.', enableHeaderCheckForJson: false, cookie: { name: 'CSRF-TOKEN', path: '/', httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'strict', maxAge: 60 * 60 * 24 * 7, // 1 week domain: undefined, }, } ``` ## How It Works 1. **Token Generation**: If the `CSRF-TOKEN` cookie does not exist, the middleware generates a new token and sets it as a cookie. 2. **Double Check**: It compares the token in the cookie to the token from the request—either via a form field, JSON body, or request header. 3. **Verification**: The token is then cryptographically validated with your secret. 4. **Optional Header Access**: You can configure `enableHeaderCheckForJson` to allow tokens to be read directly from headers for JSON requests. ## Error Handling If token validation fails, the middleware automatically returns a **403 Forbidden** response with a JSON error message. ## License MIT License. Feel free to modify and use in your projects. ---