• Stars
    star
    294
  • Rank 141,303 (Top 3 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 10 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Logic behind CSRF token creation and verification.

CSRF

NPM Version NPM Downloads Node.js Version Build Status Test Coverage

Logic behind CSRF token creation and verification.

Read Understanding-CSRF for more information on CSRF. Use this module to create custom CSRF middleware.

Looking for a CSRF framework for your favorite framework that uses this module?

Install

$ npm install csrf

TypeScript

This module includes a TypeScript declaration file to enable auto complete in compatible editors and type information for TypeScript projects.

API

var Tokens = require('csrf')

new Tokens([options])

Create a new token generation/verification instance. The options argument is optional and will just use all defaults if missing.

Options

Tokens accepts these properties in the options object.

saltLength

The length of the internal salt to use, in characters. Internally, the salt is a base 62 string. Defaults to 8 characters.

secretLength

The length of the secret to generate, in bytes. Note that the secret is passed around base-64 encoded and that this length refers to the underlying bytes, not the length of the base-64 string. Defaults to 18 bytes.

tokens.create(secret)

Create a new CSRF token attached to the given secret. The secret is a string, typically generated from the tokens.secret() or tokens.secretSync() methods. This token is what you should add into HTML <form> blocks and expect the user's browser to provide back.

var secret = tokens.secretSync()
var token = tokens.create(secret)

tokens.secret(callback)

Asynchronously create a new secret, which is a string. The secret is to be kept on the server, typically stored in a server-side session for the user. The secret should be at least per user.

tokens.secret(function (err, secret) {
  if (err) throw err
  // do something with the secret
})

tokens.secret()

Asynchronously create a new secret and return a Promise. Please see tokens.secret(callback) documentation for full details.

Note: To use promises in Node.js prior to 0.12, promises must be "polyfilled" using global.Promise = require('bluebird').

tokens.secret().then(function (secret) {
  // do something with the secret
})

tokens.secretSync()

A synchronous version of tokens.secret(callback). Please see tokens.secret(callback) documentation for full details.

var secret = tokens.secretSync()

tokens.verify(secret, token)

Check whether a CSRF token is valid for the given secret, returning a Boolean.

if (!tokens.verify(secret, token)) {
  throw new Error('invalid token!')
}

License

MIT

More Repositories

1

path-to-regexp

Turn a path string such as `/user/:name` into a regular expression
TypeScript
8,041
star
2

hbs

Express view engine wrapper for Handlebars
JavaScript
1,659
star
3

understanding-csrf

What are CSRF tokens and how do they work?
1,391
star
4

multiparty

A node.js module for parsing multipart-form data requests which supports streams2
JavaScript
1,298
star
5

cookies

Signed and unsigned cookies based on Keygrip
JavaScript
1,283
star
6

send

Streaming static file server with Range and conditional-GET support
JavaScript
791
star
7

router

Simple middleware-style router
JavaScript
404
star
8

node-frameworks

A comparison of server-side node frameworks
313
star
9

finalhandler

Node.js final http responder
JavaScript
215
star
10

parseurl

parse a url with memoization
JavaScript
188
star
11

routington

Trie-based URL Routing
JavaScript
187
star
12

path-match

please use path-to-regexp's `match` function
JavaScript
138
star
13

encodeurl

Encode a URL to a percent-encoded form, excluding already-encoded sequences
JavaScript
34
star
14

resolve-path

Resolve a relative path against a root path with validation
JavaScript
32
star
15

templation

[ON HOLD] an asynchronous, extensible view system
JavaScript
13
star
16

ssl-redirect

redirect users to the SSL version of your app
JavaScript
11
star
17

discussions

http://pillarjs.github.io
7
star
18

qs-strict

[ON HOLD] pillarjs
JavaScript
4
star
19

extend-proto

generic __proto__ injection utility
JavaScript
3
star
20

re2js-legendary

a node v0.10 compatible build of RE2JS
JavaScript
3
star
21

request

Express style request object
JavaScript
2
star
22

.github

2
star
23

views

Node.js view rendering abstraction.
1
star