Comments (7)
dougwilson
commented on April 19, 2024
This module just depends on req.session being there; it doesn't provide the mechanism for how req.session works or anything, and there are quite a few different ways this is populated, for example using OAuth tokens and more. If your issue was that the session wasn't being there, and to get your session module to work was to set that, then perhaps it is the module that is managing your sessions that should be adding that documentation?
from csurf.
franciscop
commented on April 19, 2024
While that is completely true, the issue that is displayed to the user is still "Invalid CSRF token" and from an external point of view req.sessions would not be too high in the list of places where I'd start debugging.
Maybe then we could add a "common errors" / "debugging csurf" or similar section in the end of the README so people can just add their problems+solutions? Otherwise I'll just rename this issue+change the original one a bit so at least people searching for this can find it.
from csurf.
dougwilson
commented on April 19, 2024
Sure, but then every module on npm that uses req.session should also add the same information. If that is the case, I'm just going to remove support for using req.session today.
from csurf.
dougwilson
commented on April 19, 2024
Actually, if the scenario is what you describe, we should be able to provide a different error: that you tried to validate a CSRF token when no CSRF secret has been established yet. Thus being a different error, you can better surmise that your issue is with your session module. Does that sound like a better solution?
from csurf.
franciscop
commented on April 19, 2024
Sure! That sounds way better, I didn't think that kind of detection was possible but now reading the code I can see it. You'd be detecting that there is no existing CSRF and that there is a provided one, so an error would be displayed, right?
Would it go just before this?
if (!secret) {
//HERE? Check if there is value(req)?
secret = tokens.secretSync()
setSecret(req, res, sessionKey, secret, cookie)
}from csurf.
dougwilson
commented on April 19, 2024
Yep, essentially correct. Would need to do some extra refactoring to take into account the ignore methods (and ideally not invoke the value function twice).
from csurf.
dougwilson
commented on April 19, 2024
Because if a token is incoming and a new secret is also being generated, there is certainly no way that the token will match the secret, so even trying to match is likely a waste and I figure providing a different error in that case will be better than the single error.
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.