cv
csrf-validator
npm i csrf-validator
cv

csrf-validator

CSRF Validator for Node.js

by Sajeer Babu

1.1.4 (see all)License:MITTypeScript:Not FoundCategories:Express Data Validation
npm i csrf-validator
Readme

csrf-validator

NPM Version NPM Downloads Node.js Version

A CSRF validator library for Node.js and Nestjs.

Using this library will let you directly configure CSRF Validator for your app without a cookie-parser as it is already built in.

You will have an option to manually add cookie parser as well.

Installation

This package is published over npm registry.

$ npm install csrf-validator

Implementation

There are two types of implementations available.

  1. Without configuring cookie-parser and cookie-session
  2. With configuring cookie-parser and cookie-session manually

In this method, you don't have to configure cookie-parser and cookie-session manually, it will automatically get configured

Express.js
var express = require('express');

var app = express();

CSRFValidator.instance(
        {
          tokenSecretKey: 'A secret key for encrypting csrf token',
          ignoredMethods: [],
          ignoredRoutes: ['/login'],
          entryPointRoutes: ['/login'],
          cookieKey: 'Optional - Custom csrf cookie key',
          cookieSecretKey: 'Cookie secret key for cookie-parser',
          cookieSessionKeys: [
            'First session key for cookie-session',
            'Second session key for cookie-session'
          ]
        }
).configureApp(app);
NestJS
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';

async function bootstrap() {
  const app = await NestFactory.create(AppModule);

  CSRFValidator.instance(
          {
            tokenSecretKey: 'A secret key for encrypting csrf token',
            ignoredMethods: [],
            ignoredRoutes: ['/login'],
            entryPointRoutes: ['/login'],
            cookieKey: 'Optional - Custom csrf cookie key',
            cookieSecretKey: 'Cookie secret key for cookie-parser',
            cookieSessionKeys: [
              'First session key for cookie-session',
              'Second session key for cookie-session'
            ]
          }
  ).configureApp(app);
}

In this method, you have to configure cookie-parser and cookie-session manually

Express.js
var express = require('express');
var cookieSession = require('cookie-session');
var cookieParser = require('cookie-parser');

var app = express();
app.use(cookieParser('Cookie secret key for cookie-parser'));
app.use(cookieSession({
  keys: [
    'First session key for cookie-session',
    'Second session key for cookie-session'
  ]
}));

app.use(CSRFValidator.instance({
  tokenSecretKey: 'A secret key for encrypting csrf token',
  ignoredMethods: [],
  ignoredRoutes: ['/login'],
  entryPointRoutes: ['/login'],
  cookieKey: 'Optional - Custom csrf cookie key'
}).configure());
NestJS
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import * as cookieSession from 'cookie-session';
import * as cookieParser from 'cookie-parser';

async function bootstrap() {
  const app = await NestFactory.create(AppModule);
  app.use(cookieParser('Cookie secret key for cookie-parser'));
  app.use(cookieSession({
    keys: [
      'First session key for cookie-session',
      'Second session key for cookie-session'
    ]
  }));

  app.use(CSRFValidator.instance({
    tokenSecretKey: 'A secret key for encrypting csrf token',
    ignoredMethods: [],
    ignoredRoutes: ['/login'],
    entryPointRoutes: ['/login'],
    cookieKey: 'Optional - Custom csrf cookie key'
  }).configure());
}

Configuration

Just like demonstrated above, you have to call either CSRFValidator.instance().configreApp(app) or app.use(CSRFValidator.instance().configreApp()) with CSRFValidatorOptions to configure.

CSRFValidatorOptions

FieldUsageExample
tokenSecretKeyThis is a secret key used to encrypt CSRF tokens'6e655c9df6374cfa8a2d77c5f5d7d'
ignoredMethodsArray of methods, those will be ignored at the time of CSRF token verification. But still won't set any token in response.['GET', 'POST']
ignoredRoutesArray of routes, those will be ignored at the time of CSRF token verification. But still won't set any token in response.['/login', '/user']
entryPointRoutesArray of routes, if the routes ignored like above, you still need a starting point. Setting entry point routes will treat those routes to set the CSRF token in response.['/login']
cookieKeyThis is an optional filed. You can customize the token key name using this field'custom-csrf-cookie'
cookieSecretKeyThis is a secret key to setup cookie-parser'5edc865af772d214c6d9893b57a51'
cookieSessionKeysThis is an array of secret keys to setup cookie-session['7f6cb6e3c9cefd7b2c6b76826516d', 'ff675b9dcb1d6324d96789ef939b1']

License

MIT