Comments (9)
Hmm, not sure. What version of Node.js is the error occurring on? Any way I can reproduce? The versions running on Travis CI are not having the issue.
from csurf.
I'm using 0.12.1. npm - 2.5.1 whats interesting is if i open up a node console and run
c.createHash('sha1').update("salt").update("-").digest("base64")
it works fine. But when it runs within my app, i get the issue described above.
from csurf.
Gotcha. I'm not able to reproduce on 0.12.1. Anyway you can help me? What about can you paste a complete file I can paste on my system and run that will throw that error?
from csurf.
Figured out the issue.
I was using https://github.com/jas-/connect-redis-crypto/blob/master/lib/connect-redis.js
This file has a line crypto.DEFAULT_ENCODING = 'hex'
. That leaves the DEFAULT_ENCODING to 'hex' so when csurf calls .update('-')
it crashes.
in a node console doing
crypto.DEFAULT_ENCODING = "hex"
crypto.createHash('sha1').update('salt').update('-')
gives me the error I mentioned earlier.
seems like one shouldn't change the DEFAULT_ENCODING as it might affect other modules, but
should csurf be explicit about what encoding needs to be used?
Any general thoughts on this?
from csurf.
Thanks a lot for being so responsive by the way 💃
from csurf.
Ah ha! Yes, I agree on both points: no, a module should not be doing that and yes, we should be explicit, especially since it won't hurt anything. Feel free to submit a PR, otherwise I'll get around to it eventually :)
from csurf.
Ok, I'm going to add the explicitness now :) I also noticed that the above crypto
is not actually a part of this module, but rather a part of a dependency, so I'll be updating the csrf
module and closing this issue :)
from csurf.
Ok, version 1.8.1 will be published shortly with the fix :)
from csurf.
awesome! Thanks!!
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.