Skip to content

LagrangianPoint/simple-express-csrf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
dist
dist
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
eslint.config.js
eslint.config.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

simple-express-csrf

A really simple Express.js CSRF Middleware that just works out of the box.

Are you tired of importing and testing multiple CSRF libraries into Express.js, and none of them work? Then this Middleware is for you! Minimal dependencies, educated guess and convetions on your stack. Depends on other well stablished CSRF lib.

Install

$ npm install simple-express-csrtf

This module assumes you are using in your project express, and expres-session.

To install those dependencies run:

$ npm install express expres-session

TypeScript

This module includes a TypeScript declaration file to enable auto complete in compatible editors and type information for TypeScript projects.

Importing

From javascript, you can import this with:

const { generateCSRFToken, validateCSRFMiddleware } = require("simple-express-csrf");

// Or

import  { generateCSRFToken, validateCSRFMiddleware } from "simple-express-csrf";

From TypeScript, you simply import the middleware like:

import  { generateCSRFToken, validateCSRFMiddleware } from "simple-express-csrf";

API

generateCSRFToken(request: Request)

Generates a new CSRF Token, which can be used to be renderd in your form. It needs the request object as an input to use it to save this token and the secret token in the session.

validateCSRFToken(request: Request)

Reads the csrf_token parameter from your POST request (the only method secured is POST), and verifies it against the secret token in session.

validateCSRFMiddleware(onErrorCallback: Function)

Automatically validates the CSRF token sent via the POST method. It allows your specified action to be accessed in case the token is valid, and if not, it calls an onErrorCallback callback function that you can use to customize what happens if the token is invalid.

Example

This is a complete example of how this middleware can be used making use of ejs as a template engine.

// app.js
const express = require("express");

const session = require('express-session');

const { generateCSRFToken, validateCSRFMiddleware } = require("simple-express-csrf")

const app = express();

const port = 4000;

app.set('view engine', 'ejs');

app.use(express.urlencoded({ extended: true }));

app.use(session({
  secret: "SECRET_SESION_KEY",
  resave: false,
  saveUninitialized: true,
}));

app.get("/", (req, res) => {
  res.render('index', { csrf_token: generateCSRFToken(req) });
});


app.post("/",
    validateCSRFMiddleware((err, req, res) => {
      return res.redirect("/404");
    }),
  (req, res) => {
  res.json({"success": true});
});

This is what the file views/index.ejs looks like:

    <form id="myform" action="/" method="post">
        <input type="hidden" name="csrf_token" value="<%= csrf_token %>" />
        <input type="text" name="name" placeholder="Name" />
        <button type="submit">Submit</button>
    </form>

About

A really simple Express.js CSRF Middleware that just works out of the box.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages