UNPKG

csrf-validator

Version:

CSRF Validator for Node.js

github.com/ohawks-js/csrf-validator/blob/master/README.md

ohawks-js/csrf-validator

158 lines (128 loc) 5.66 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# csrf-validator [![NPM Version][npm-version-image]][npm-url] [![NPM Downloads][npm-downloads-image]][node-url] [![Node.js Version][node-image]][node-url] <a href="https://discord.gg/YyxmehbX"><img src="https://img.shields.io/badge/Discord-7289DA?style=for-the-badge&logo=discord&logoColor=white" /></a> A [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) validator library for Node.js and Nestjs. Using this library will let you directly configure CSRF Validator for your app without a [cookie-parser](https://www.npmjs.com/package/cookie-parser) as it is already built in. You will have an option to manually add cookie parser as well. ## Installation This package is published over [npm registry](https://www.npmjs.com/). ```sh $ npm install csrf-validator ``` ## Implementation <!-- eslint-disable no-unused-vars --> There are two types of implementations available. 1. Without configuring `cookie-parser` and `cookie-session` 2. With configuring `cookie-parser` and `cookie-session` manually #### 1. Without configuring `cookie-parser` and `cookie-session` In this method, you don't have to configure `cookie-parser` and `cookie-session` manually, it will automatically get configured ###### Express.js ```js var express = require('express'); var app = express(); CSRFValidator.instance( { tokenSecretKey: 'A secret key for encrypting csrf token', ignoredMethods: [], ignoredRoutes: ['/login'], entryPointRoutes: ['/login'], cookieKey: 'Optional - Custom csrf cookie key', cookieSecretKey: 'Cookie secret key for cookie-parser', cookieSessionKeys: [ 'First session key for cookie-session', 'Second session key for cookie-session' ] } ).configureApp(app); ``` ###### NestJS ```js import { NestFactory } from '@nestjs/core'; import { AppModule } from './app.module'; async function bootstrap() { const app = await NestFactory.create(AppModule); CSRFValidator.instance( { tokenSecretKey: 'A secret key for encrypting csrf token', ignoredMethods: [], ignoredRoutes: ['/login'], entryPointRoutes: ['/login'], cookieKey: 'Optional - Custom csrf cookie key', cookieSecretKey: 'Cookie secret key for cookie-parser', cookieSessionKeys: [ 'First session key for cookie-session', 'Second session key for cookie-session' ] } ).configureApp(app); } ``` #### 2. With configuring `cookie-parser` and `cookie-session` manually In this method, you have to configure `cookie-parser` and `cookie-session` manually ###### Express.js ```js var express = require('express'); var cookieSession = require('cookie-session'); var cookieParser = require('cookie-parser'); var app = express(); app.use(cookieParser('Cookie secret key for cookie-parser')); app.use(cookieSession({ keys: [ 'First session key for cookie-session', 'Second session key for cookie-session' ] })); app.use(CSRFValidator.instance({ tokenSecretKey: 'A secret key for encrypting csrf token', ignoredMethods: [], ignoredRoutes: ['/login'], entryPointRoutes: ['/login'], cookieKey: 'Optional - Custom csrf cookie key' }).configure()); ``` ###### NestJS ```js import { NestFactory } from '@nestjs/core'; import { AppModule } from './app.module'; import * as cookieSession from 'cookie-session'; import * as cookieParser from 'cookie-parser'; async function bootstrap() { const app = await NestFactory.create(AppModule); app.use(cookieParser('Cookie secret key for cookie-parser')); app.use(cookieSession({ keys: [ 'First session key for cookie-session', 'Second session key for cookie-session' ] })); app.use(CSRFValidator.instance({ tokenSecretKey: 'A secret key for encrypting csrf token', ignoredMethods: [], ignoredRoutes: ['/login'], entryPointRoutes: ['/login'], cookieKey: 'Optional - Custom csrf cookie key' }).configure()); } ``` ## Configuration Just like demonstrated above, you have to call either `CSRFValidator.instance().configreApp(app)` or `app.use(CSRFValidator.instance().configreApp())` with `CSRFValidatorOptions` to configure. ### CSRFValidatorOptions |Field|Usage|Example| |:---:|:---:|:---:| |tokenSecretKey|This is a secret key used to encrypt CSRF tokens|`'6e655c9df6374cfa8a2d77c5f5d7d'`| |ignoredMethods|Array of methods, those will be ignored at the time of CSRF token verification. But still won't set any token in response.|`['GET', 'POST']`| |ignoredRoutes|Array of routes, those will be ignored at the time of CSRF token verification. But still won't set any token in response.|`['/login', '/user']`| |entryPointRoutes|Array of routes, if the routes ignored like above, you still need a starting point. Setting entry point routes will treat those routes to set the CSRF token in response.|`['/login']`| |cookieKey|This is an optional filed. You can customize the token key name using this field|`'custom-csrf-cookie'`| |cookieSecretKey|This is a secret key to setup `cookie-parser`|`'5edc865af772d214c6d9893b57a51'`| |cookieSessionKeys|This is an array of secret keys to setup `cookie-session`|`['7f6cb6e3c9cefd7b2c6b76826516d', 'ff675b9dcb1d6324d96789ef939b1']`| ## License [MIT](LICENSE) [node-image]: https://badgen.net/npm/node/csrf [node-url]: https://nodejs.org/en/download [node-url]: https://nodejs.org/en/download [npm-downloads-image]: https://badgen.net/npm/dm/csrf-validator [npm-url]: https://npmjs.org/package/csrf-validator [npm-version-image]: https://badgen.net/npm/v/npm