CSRF

Logic behind CSRF token creation and verification.

Read Understanding-CSRF for more information on CSRF. Use this module to create custom CSRF middleware.

Looking for a CSRF framework for your favorite framework that uses this module?

Express/connect: csurf or alt-xsrf
Koa: koa-csrf or koa-atomic-session

Install

$ npm install csrf

TypeScript

This module includes a TypeScript declaration file to enable auto complete in compatible editors and type information for TypeScript projects.

API

var Tokens = require('csrf')

new Tokens([options])

Create a new token generation/verification instance. The options argument is optional and will just use all defaults if missing.

Options

Tokens accepts these properties in the options object.

saltLength

The length of the internal salt to use, in characters. Internally, the salt is a base 62 string. Defaults to 8 characters.

secretLength

The length of the secret to generate, in bytes. Note that the secret is passed around base-64 encoded and that this length refers to the underlying bytes, not the length of the base-64 string. Defaults to 18 bytes.

tokens.create(secret)

Create a new CSRF token attached to the given secret. The secret is a string, typically generated from the tokens.secret() or tokens.secretSync() methods. This token is what you should add into HTML <form> blocks and expect the user's browser to provide back.

var secret = tokens.secretSync()
var token = tokens.create(secret)

tokens.secret(callback)

Asynchronously create a new secret, which is a string. The secret is to be kept on the server, typically stored in a server-side session for the user. The secret should be at least per user.

tokens.secret(function (err, secret) {
  if (err) throw err
  // do something with the secret
})

tokens.secret()

Asynchronously create a new secret and return a Promise. Please see tokens.secret(callback) documentation for full details.

Note: To use promises in Node.js prior to 0.12, promises must be "polyfilled" using global.Promise = require('bluebird').

tokens.secret().then(function (secret) {
  // do something with the secret
})

tokens.secretSync()

A synchronous version of tokens.secret(callback). Please see tokens.secret(callback) documentation for full details.

var secret = tokens.secretSync()

tokens.verify(secret, token)

Check whether a CSRF token is valid for the given secret, returning a Boolean.

if (!tokens.verify(secret, token)) {
  throw new Error('invalid token!')
}

License

MIT

Name		Name	Last commit message	Last commit date
Latest commit History 294 Commits
.github		.github
benchmark		benchmark
test		test
.eslintignore		.eslintignore
.eslintrc.yml		.eslintrc.yml
.gitignore		.gitignore
HISTORY.md		HISTORY.md
LICENSE		LICENSE
README.md		README.md
index.d.ts		index.d.ts
index.js		index.js
package.json		package.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Repository files navigation

CSRF

Install

TypeScript

API

new Tokens([options])

Options

saltLength

secretLength

tokens.create(secret)

tokens.secret(callback)

tokens.secret()

tokens.secretSync()

tokens.verify(secret, token)

License

About

Uh oh!

Releases 16

Sponsor this project

Uh oh!

Packages

Used by 208k

Contributors 13

Uh oh!

Languages

Uh oh!

License

pillarjs/csrf

Folders and files

Latest commit

History

Repository files navigation

CSRF

Install

TypeScript

API

new Tokens([options])

Options

saltLength

secretLength

tokens.create(secret)

tokens.secret(callback)

tokens.secret()

tokens.secretSync()

tokens.verify(secret, token)

License

About

Topics

Resources

License

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 16

Sponsor this project

Uh oh!

Packages 0

Used by 208k

Contributors 13

Uh oh!

Languages

Packages