UNPKG

mini-csrf

Version:

A small, stateless, session-less CSRF protection middleware for Express

github.com/IanKulin/mini-csrf

IanKulin/mini-csrf

124 lines (108 loc) 3.19 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
// Express-like types for compatibility without requiring @types/express interface Request { readonly ip?: string; readonly headers: { readonly [key: string]: string | string[] | undefined; readonly 'user-agent'?: string; }; readonly method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | string; readonly body?: any; } interface Response {} interface NextFunction { (err?: any): void; } /** * Configuration options for CSRF protection */ export interface CsrfProtectionOptions { /** * Server secret used to generate HMAC tokens. Must be at least 32 characters long. */ secret: string; /** * Custom field names for the CSRF token and timestamp */ fieldNames?: { /** * Name of the hidden form field containing the CSRF token * @default "_csrf_token" */ token: string; /** * Name of the hidden form field containing the timestamp * @default "_csrf_time" */ time: string; }; /** * Time-to-live for tokens in milliseconds. Tokens older than this will be rejected. * Must be a positive number. * @default 3600000 (1 hour) */ ttl?: number; } /** * CSRF protection middleware function */ export interface CsrfMiddleware { (req: Request, res: Response, next: NextFunction): void; } /** * Function to generate CSRF token HTML for forms */ export interface CsrfTokenHtml { /** * Generates HTML string containing hidden input fields for CSRF token and timestamp * @param req - Express request object * @returns HTML string with hidden input fields */ (req: Request): string; } /** * Result object returned by csrfProtection function */ export interface CsrfProtectionResult { /** * Express middleware function that validates CSRF tokens on unsafe HTTP methods */ readonly middleware: CsrfMiddleware; /** * Function to generate CSRF token HTML for forms */ readonly csrfTokenHtml: CsrfTokenHtml; } /** * CSRF error with specific error code */ export interface CsrfError extends Error { /** * Error code for CSRF validation failures */ readonly code: "EBADCSRFTOKEN"; } /** * Creates CSRF protection middleware with the given options * @param options - Configuration options for CSRF protection * @returns Object containing middleware and csrfTokenHtml functions * @throws Error if secret is not provided or is less than 32 characters * @throws Error if field names are invalid or identical */ declare function csrfProtection( options: CsrfProtectionOptions ): CsrfProtectionResult; /** * Compares two strings in constant time to prevent timing attacks * @param a - First string to compare * @param b - Second string to compare * @returns True if strings are equal, false otherwise */ export declare function constantTimeEquals(a: string, b: string): boolean; /** * Validates that a field name contains only safe characters * @param name - Field name to validate * @param type - Type of field (used in error messages) * @throws Error if field name contains invalid characters */ export declare function validateFieldName(name: string, type: string): void; export default csrfProtection;