Giter Site home page Giter Site logo

Expose token validation function about csurf HOT 7 OPEN

expressjs avatar expressjs commented on March 29, 2024 3
Expose token validation function

from csurf.

Comments (7)

gabeio avatar gabeio commented on March 29, 2024

👍 this would be great especially in situations where you are not using the body-parser module as it currently can not handle multipart bodies.

from csurf.

dougwilson avatar dougwilson commented on March 29, 2024

Though remember that multer and connect-multiparty will have you covered in that situation.

from csurf.

dougwilson avatar dougwilson commented on March 29, 2024

Or simply pass the token in the query string :)

from csurf.

gabeio avatar gabeio commented on March 29, 2024

at the moment I have taken a liking to formidable I am playing with it at the moment I might have a work around... if I can parse the form before csurf gets a hold of it I can just fill the fields into the req.body anyway and just let it pretend it's body-parser

from csurf.

gabeio avatar gabeio commented on March 29, 2024

yeah I got it working I just put the formidable processor before csurf and filled req.body worked perfectly but still would like to see more public api for validation thanks! might help with that if I have time :)

from csurf.

YourDeveloperFriend avatar YourDeveloperFriend commented on March 29, 2024

Please check out my pull request for this issue: #82

from csurf.

BowlingX avatar BowlingX commented on March 29, 2024

I used the following to implement a state parameter for passportjs and oauth2 just in case somebody stumbles upon this topic. You can just use the csrf library to generate the state on your own:

// @flow

import Tokens from 'csrf'

type Options = {
  cookieKey: string,
  cookieSecure: boolean
}

export class CsrfTokenStore {
  options: Options
  csrf: Tokens

  constructor(options: Options) {
    this.options = options
    this.csrf = new Tokens()
  }

  store(req: Object, cb: Function) {
    // create a secret and store it inside the cookie
    const secret =
      req.signedCookies[this.options.cookieKey] ||
      (req.locals ? req.locals.secret : null)
    if (!secret) {
      throw new Error('Could not find auth secret')
    }
    cb(null, this.csrf.create(secret))
  }

  verify(req: Object, providedState: string, cb: Function) {
    const secret = req.signedCookies[this.options.cookieKey]
    cb(null, this.csrf.verify(secret, providedState))
  }

  configureMiddleware(app: Object, path: ?string) {
    app.use(path, async (req, res, next) => {
      if (!req.signedCookies[this.options.cookieKey]) {
        const secret = await this.csrf.secret()
        req.locals = {
          secret
        }
        res.cookie(this.options.cookieKey, secret, {
          httpOnly: true,
          secure: this.options.cookieSecure,
          signed: true
        })
      }
      next()
    })
  }
}

And then in your middleware:

import OAuth2Strategy from 'passport-oauth2'
import cookieParser from 'cookie-parser'
import cookieEncrypter from 'cookie-encrypter'
import passport from 'passport'

/** .. other thinks */

const secret = process.env.APP_SECRET

const authStateStore = new CsrfTokenStore({
    cookieKey: authStateCookieName,
    cookieSecure: /**  true / false */
  })
const auth0Strategy = new OAuth2Strategy(
    {
      /**... all the other parameters */
      store: authStateStore,
    }
  )
  passport.use(auth0Strategy)
  app.use(cookieParser(secret))
  app.use(cookieEncrypter(secret))
  authStateStore.configureMiddleware(app, '/oauth_login')
  app.use(passport.initialize())

  app.get(
     '/oauth_login',
    passport.authenticate('oauth2', {
      scope: ['openid', 'offline_access', 'roles']
    }),
    (req, res) => {
      res.redirect('/')
    }
  )

from csurf.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.