UNPKG

csrf-guard

Version:

Simple Anti-CSRF Token implementation for Express applications.

github.com/venomaze/csrf-guard

venomaze/csrf-guard

65 lines (55 loc) 2.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
const crypto = require('crypto'); const util = require('util'); class SynchronizerPattern { /** * @property {Function} generateToken - Generate a random token with the given length * @access private * @param {Number} [length] - The length of the token bytes (optional) * @returns {String} - The generated token */ static async generateToken(length = 16) { const randomBytes = util.promisify(crypto.randomBytes); const bytes = await randomBytes(length); const token = bytes.toString('hex'); return token; } /** * @property {Function} signToken - Sign the token with the given secret key * @access private * @param {String} token - The token which is going to be signed * @param {String} secret - The secret which is used for signing * @returns {String} - The signed key */ static signToken(token, secret) { const hash = crypto.createHmac('sha256', secret).update(token); const signedToken = hash.digest('hex'); return signedToken; } /** * @property {Function} verifyToken - Verify if the token is valid or not * @param {String} token - The token to be verified (Server token) * @param {String} signedToken - The signed token to compare with (Client token) * @param {String} secret - The secret which is used for signed token * @returns {Boolean} - True if the given token is valid */ static verifyToken(token, signedToken, secret) { const expected = this.signToken(token, secret); const isValid = expected === signedToken; return isValid; } /** * @property {Function} getToken - Generate and sign a new token * @param {String} secret - The secret key which is used for signing tokens * @param {Number} [tokenLength] - The length of the token bytes (optional) * @returns {Object} - An object containing both generated (For server) and signed (For client) tokens */ static async getToken(secret, tokenLength = 16) { const token = await this.generateToken(tokenLength); const signedToken = this.signToken(token, secret); return { serverToken: token, clientToken: signedToken, }; } } module.exports = SynchronizerPattern;