I'm a developer

csrf

by pillarjs

pillarjs / csrf

Logic behind CSRF token creation and verification.

208 Stars 21 Forks Last release: over 1 year ago (3.1.0) MIT License 196 Commits 21 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

CSRF

NPM Version NPM Downloads Node.js Version Build Status Test Coverage

Logic behind CSRF token creation and verification.

Read Understanding-CSRF for more information on CSRF. Use this module to create custom CSRF middleware.

Looking for a CSRF framework for your favorite framework that uses this module?

Install

$ npm install csrf

TypeScript

This module includes a TypeScript declaration file to enable auto complete in compatible editors and type information for TypeScript projects.

API

var Tokens = require('csrf')

new Tokens([options])

Create a new token generation/verification instance. The 

options
argument is optional and will just use all defaults if missing.

Options

Tokens accepts these properties in the options object.

saltLength

The length of the internal salt to use, in characters. Internally, the salt is a base 62 string. Defaults to 

8
characters.
secretLength

The length of the secret to generate, in bytes. Note that the secret is passed around base-64 encoded and that this length refers to the underlying bytes, not the length of the base-64 string. Defaults to 

18
bytes.

tokens.create(secret)

Create a new CSRF token attached to the given 

secret
. The 
secret
is a string, typically generated from the 
tokens.secret()
or 
tokens.secretSync()
methods. This token is what you should add into HTML 
 blocks and
expect the user's browser to provide back.



var secret = tokens.secretSync()
var token = tokens.create(secret)



tokens.secret(callback)



Asynchronously create a new 


secret
, which is a string. The secret is to
be kept on the server, typically stored in a server-side session for the
user. The secret should be at least per user.



tokens.secret(function (err, secret) {
  if (err) throw err
  // do something with the secret
})



tokens.secret()



Asynchronously create a new 


secret
 and return a 
Promise
. Please see

tokens.secret(callback)
 documentation for full details.


Note: To use promises in Node.js prior to 0.12, promises must be
"polyfilled" using 


global.Promise = require('bluebird')
.



tokens.secret().then(function (secret) {
  // do something with the secret
})



tokens.secretSync()



A synchronous version of 


tokens.secret(callback)
. Please see

tokens.secret(callback)
 documentation for full details.



var secret = tokens.secretSync()



tokens.verify(secret, token)



Check whether a CSRF token is valid for the given 


secret
, returning
a Boolean.



if (!tokens.verify(secret, token)) {
  throw new Error('invalid token!')
}



License



MIT



    
    
    
    
    
    
  


 We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.