Comments (7)
👍 this would be great especially in situations where you are not using the body-parser
module as it currently can not handle multipart bodies.
from csurf.
Though remember that multer
and connect-multiparty
will have you covered in that situation.
from csurf.
Or simply pass the token in the query string :)
from csurf.
at the moment I have taken a liking to formidable I am playing with it at the moment I might have a work around... if I can parse the form before csurf gets a hold of it I can just fill the fields into the req.body
anyway and just let it pretend it's body-parser
from csurf.
yeah I got it working I just put the formidable processor before csurf and filled req.body
worked perfectly but still would like to see more public api for validation thanks! might help with that if I have time :)
from csurf.
Please check out my pull request for this issue: #82
from csurf.
I used the following to implement a state parameter for passportjs and oauth2 just in case somebody stumbles upon this topic. You can just use the csrf
library to generate the state on your own:
// @flow
import Tokens from 'csrf'
type Options = {
cookieKey: string,
cookieSecure: boolean
}
export class CsrfTokenStore {
options: Options
csrf: Tokens
constructor(options: Options) {
this.options = options
this.csrf = new Tokens()
}
store(req: Object, cb: Function) {
// create a secret and store it inside the cookie
const secret =
req.signedCookies[this.options.cookieKey] ||
(req.locals ? req.locals.secret : null)
if (!secret) {
throw new Error('Could not find auth secret')
}
cb(null, this.csrf.create(secret))
}
verify(req: Object, providedState: string, cb: Function) {
const secret = req.signedCookies[this.options.cookieKey]
cb(null, this.csrf.verify(secret, providedState))
}
configureMiddleware(app: Object, path: ?string) {
app.use(path, async (req, res, next) => {
if (!req.signedCookies[this.options.cookieKey]) {
const secret = await this.csrf.secret()
req.locals = {
secret
}
res.cookie(this.options.cookieKey, secret, {
httpOnly: true,
secure: this.options.cookieSecure,
signed: true
})
}
next()
})
}
}
And then in your middleware:
import OAuth2Strategy from 'passport-oauth2'
import cookieParser from 'cookie-parser'
import cookieEncrypter from 'cookie-encrypter'
import passport from 'passport'
/** .. other thinks */
const secret = process.env.APP_SECRET
const authStateStore = new CsrfTokenStore({
cookieKey: authStateCookieName,
cookieSecure: /** true / false */
})
const auth0Strategy = new OAuth2Strategy(
{
/**... all the other parameters */
store: authStateStore,
}
)
passport.use(auth0Strategy)
app.use(cookieParser(secret))
app.use(cookieEncrypter(secret))
authStateStore.configureMiddleware(app, '/oauth_login')
app.use(passport.initialize())
app.get(
'/oauth_login',
passport.authenticate('oauth2', {
scope: ['openid', 'offline_access', 'roles']
}),
(req, res) => {
res.redirect('/')
}
)
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.