@ordojs/security/dist/csrf/example.js

Security package for OrdoJS with XSS, CSRF, and injection protection

/**
 * CSRF Protection Usage Example
 * Demonstrates how to use the CSRF protection system
 */
import { CSRFManager } from './csrf-manager';
// Example configuration
const config = {
    secret: 'your-secret-key-here-should-be-random-and-secure',
    tokenExpiry: 60 * 60 * 1000, // 1 hour
    cookieName: '__csrf-token',
    headerName: 'X-CSRF-Token',
    fieldName: '_csrf',
    secureCookie: true,
    httpOnlyCookie: true,
    sameSite: 'strict'
};
// Initialize CSRF manager
const csrfManager = new CSRFManager(config);
// Example 1: Session-based CSRF protection
function sessionBasedExample() {
    console.log('=== Session-based CSRF Protection ===');
    const sessionId = 'user-session-12345';
    // Generate a token for the session
    const token = csrfManager.generateToken(sessionId);
    console.log('Generated token:', token.value);
    // Generate HTML form field
    const formField = csrfManager.generateFormField(sessionId);
    console.log('Form field HTML:', formField);
    // Validate the token
    const validationResult = csrfManager.validateToken(token.value, sessionId);
    console.log('Token validation:', validationResult);
    // Simulate a request with the token
    const request = {
        headers: { 'X-CSRF-Token': token.value },
        sessionId
    };
    const requestValidation = csrfManager.validateRequest(request);
    console.log('Request validation:', requestValidation);
}
// Example 2: Double-submit cookie pattern
function doubleSubmitExample() {
    console.log('\n=== Double-Submit Cookie Pattern ===');
    const sessionId = 'user-session-67890';
    // Set up double-submit protection
    const response = csrfManager.setupDoubleSubmitProtection(sessionId);
    console.log('Response headers:', response.headers);
    console.log('Response cookies:', response.cookies);
    // Simulate a request with matching tokens
    const request = {
        headers: { 'X-CSRF-Token': response.headers['X-CSRF-Token'] || '' },
        cookies: { '__csrf-token': response.cookies[0]?.value || '' }
    };
    const validationResult = csrfManager.validateRequest(request);
    console.log('Double-submit validation:', validationResult);
}
// Example 3: Client-side integration
function clientSideExample() {
    console.log('\n=== Client-side Integration ===');
    // Generate client-side script
    const clientScript = csrfManager.generateClientScript('user-session-12345');
    console.log('Client script length:', clientScript.length, 'characters');
    console.log('Script includes form injection:', clientScript.includes('injectFormTokens'));
    console.log('Script includes AJAX interceptor:', clientScript.includes('setupAjaxInterceptor'));
}
// Example 4: Express.js middleware example
function expressMiddlewareExample() {
    console.log('\n=== Express.js Middleware Example ===');
    // This would be used in an Express.js application
    const csrfMiddleware = (req, res, next) => {
        // Skip CSRF protection for GET requests
        if (req.method === 'GET') {
            return next();
        }
        // Extract session ID (from session middleware)
        const sessionId = req.session?.id || req.sessionID;
        if (!sessionId) {
            return res.status(403).json({ error: 'Session required' });
        }
        // Create request object
        const csrfRequest = {
            headers: req.headers,
            body: req.body,
            cookies: req.cookies,
            sessionId
        };
        // Validate CSRF protection
        const validation = csrfManager.validateRequest(csrfRequest);
        if (!validation.valid) {
            return res.status(403).json({
                error: 'CSRF validation failed',
                message: validation.error
            });
        }
        next();
    };
    console.log('Express middleware created');
    console.log('Usage: app.use(csrfMiddleware)');
}
// Example 5: Statistics and monitoring
function statisticsExample() {
    console.log('\n=== Statistics and Monitoring ===');
    // Generate some tokens for different sessions
    csrfManager.generateToken('session-1');
    csrfManager.generateToken('session-1');
    csrfManager.generateToken('session-2');
    const stats = csrfManager.getStats();
    console.log('CSRF Statistics:', stats);
    const config = csrfManager.getConfig();
    console.log('CSRF Configuration:', {
        tokenExpiry: config.tokenExpiry,
        cookieName: config.cookieName,
        headerName: config.headerName,
        fieldName: config.fieldName
    });
}
// Run examples
if (require.main === module) {
    sessionBasedExample();
    doubleSubmitExample();
    clientSideExample();
    expressMiddlewareExample();
    statisticsExample();
    // Clean up
    csrfManager.destroy();
}
export { clientSideExample, doubleSubmitExample, expressMiddlewareExample, sessionBasedExample, statisticsExample };
//# sourceMappingURL=example.js.map