UNPKG

nuxt-csurf

Version:

Nuxt Cross-Site Request Forgery (CSRF) Prevention

37 lines (36 loc) 1.54 kB
import * as csrf from "uncsrf"; import { getCookie, setCookie } from "h3"; import { useSecretKey } from "../helpers.js"; import { useRuntimeConfig, getRouteRules } from "#imports"; const defineNitroPlugin = (def) => def; export default defineNitroPlugin((nitroApp) => { const csrfConfig = useRuntimeConfig().csurf; const cookieKey = csrfConfig.cookieKey; if (csrfConfig.addCsrfTokenToEventCtx) { nitroApp.hooks.hook("request", async (event) => { const { csurf } = getRouteRules(event); const needCookie = !(csurf === false || csurf?.enabled === false); let secret = getCookie(event, cookieKey); if (!secret) { secret = csrf.randomSecret(); if (needCookie) { setCookie(event, cookieKey, secret, csrfConfig.cookie); } } event.context.csrfToken = await csrf.create(secret, await useSecretKey(csrfConfig), csrfConfig.encryptAlgorithm); }); nitroApp.hooks.hook("render:html", async (html, { event }) => { html.head.push(`<meta name="csrf-token" content="${event.context.csrfToken}">`); }); } else { nitroApp.hooks.hook("render:html", async (html, { event }) => { let secret = getCookie(event, cookieKey); if (!secret) { secret = csrf.randomSecret(); setCookie(event, cookieKey, secret, csrfConfig.cookie); } const csrfToken = await csrf.create(secret, await useSecretKey(csrfConfig), csrfConfig.encryptAlgorithm); html.head.push(`<meta name="csrf-token" content="${csrfToken}">`); }); } });