Skip to content

koajs/csrf

2 Branches24 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

titanismtitanism
5.0.1
Jul 2, 2022
0b87e99 · Jul 2, 2022

History

103 Commits
.github/workflows
.github/workflows
Jul 1, 2022
.husky
.husky
Jul 1, 2022
test
test
Jul 2, 2022
.commitlintrc.js
.commitlintrc.js
Jul 1, 2022
.editorconfig
.editorconfig
Jul 1, 2022
.eslintignore
.eslintignore
Jul 1, 2022
.eslintrc
.eslintrc
Jul 1, 2022
.gitattributes
.gitattributes
Jul 1, 2022
.gitignore
.gitignore
Jul 1, 2022
.lintstagedrc.js
.lintstagedrc.js
Jul 1, 2022
.npmrc
.npmrc
Jul 1, 2022
.prettierrc.js
.prettierrc.js
Jul 1, 2022
.remarkrc.js
.remarkrc.js
Jul 1, 2022
.xo-config.js
.xo-config.js
Jul 1, 2022
LICENSE
LICENSE
Jul 1, 2022
README.md
README.md
Jul 2, 2022
index.js
index.js
Jul 2, 2022
package.json
package.json
Jul 2, 2022

Repository files navigation

koa-csrf

build status build status code style styled with prettier made with lass license

CSRF tokens for Koa

NOTE: As of v5.0.0+ ctx.csrf, ctx_csrf, and ctx.response.csrf are removed – instead use ctx.state._csrf. Furthermore we have dropped invalidTokenMessage and invalidTokenStatusCode in favor of an errorHandler function option.

Table of Contents

Install

npm:

npm install koa-csrf

Usage

  1. Add middleware in Koa app (see options below):

    const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const session = require('koa-generic-session');
const convert = require('koa-convert');
const CSRF = require('koa-csrf');

const app = new Koa();

// set the session keys
app.keys = [ 'a', 'b' ];

// add session support
app.use(convert(session()));

// add body parsing
app.use(bodyParser());

// add the CSRF middleware
app.use(new CSRF());

// your middleware here (e.g. parse a form submit)
app.use((ctx, next) => {
  if (![ 'GET', 'POST' ].includes(ctx.method))
    return next();
  if (ctx.method === 'GET') {
    ctx.body = ctx.state._csrf;
    return;
  }
  ctx.body = 'OK';
});

app.listen();

  2. Add the CSRF token in your template forms:

    Jade Template:

    form(action='/register', method='POST')
  input(type='hidden', name='_csrf', value=_csrf)
  input(type='email', name='email', placeholder='Email')
  input(type='password', name='password', placeholder='Password')
  button(type='submit') Register

    EJS Template:

    <form action="/register" method="POST">
  <input type="hidden" name="_csrf" value="<%= _csrf %>" />
  <input type="email" name="email" placeholder="Email" />
  <input type="password" name="password" placeholder="Password" />
  <button type="submit">Register</button>
</form>

Options

  • errorHandler (Function) - defaults to a function that returns ctx.throw(403, 'Invalid CSRF token')
  • excludedMethods (Array) - defaults to [ 'GET', 'HEAD', 'OPTIONS' ]
  • disableQuery (Boolean) - defaults to false
  • ignoredPathGlobs (Array) - defaults to an empty Array, but you can pass an Array of glob paths to ignore

Contributors

Name Website
Nick Baugh https://github.com/niftylettuce
Imed Jaberi https://www.3imed-jaberi.com/

License

MIT © Jonathan Ong

About

CSRF tokens for koa

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

265 stars

Watchers

9 watching

Forks

31 forks
Report repository

Releases 6

v5.0.1 Latest
Jul 2, 2022
+ 5 releases

Packages

No packages published

Contributors 15

Languages