koa-csrf
CSRF tokens for Koa
Last updated 10 months ago by niftylettuce .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install koa-csrf 
SYNC missed versions from official npm registry.

koa-csrf

build status code coverage code style styled with prettier made with lass license

CSRF tokens for Koa

Table of Contents

Install

For versions of Koa <2.x please use koa-csrf@2.x

npm:

npm install koa-csrf

yarn:

yarn add koa-csrf

Usage

  1. Add middleware in Koa app (default options are shown):

    const Koa = require('koa');
    const bodyParser = require('koa-bodyparser');
    const session = require('koa-generic-session');
    const convert = require('koa-convert');
    const CSRF = require('koa-csrf');
    
    const app = new Koa();
    
    // set the session keys
    app.keys = [ 'a', 'b' ];
    
    // add session support
    app.use(convert(session()));
    
    // add body parsing
    app.use(bodyParser());
    
    // add the CSRF middleware
    app.use(new CSRF({
      invalidTokenMessage: 'Invalid CSRF token',
      invalidTokenStatusCode: 403,
      excludedMethods: [ 'GET', 'HEAD', 'OPTIONS' ],
      disableQuery: false
    }));
    
    // your middleware here (e.g. parse a form submit)
    app.use((ctx, next) => {
      if (![ 'GET', 'POST' ].includes(ctx.method))
        return next();
      if (ctx.method === 'GET') {
        ctx.body = ctx.csrf;
        return;
      }
      ctx.body = 'OK';
    });
    
    app.listen();
    
  2. Add the CSRF token in your template forms:

    Jade Template:

    form(action='/register', method='POST')
      input(type='hidden', name='_csrf', value=csrf)
      input(type='email', name='email', placeholder='Email')
      input(type='password', name='password', placeholder='Password')
      button(type='submit') Register
    

    EJS Template:

    <form action="/register" method="POST">
      <input type="hidden" name="_csrf" value="<%= csrf %>" />
      <input type="email" name="email" placeholder="Email" />
      <input type="password" name="password" placeholder="Password" />
      <button type="submit">Register</button>
    </form>
    

Options

  • invalidTokenMessage (String or Function) - defaults to Invalid CSRF token, but can also be a function that accepts one argument ctx (useful for i18n translation, e.g. using ctx.request.t('some message') via @ladjs/i18n
  • invalidTokenStatusCode (Number) - defaults to 403
  • excludedMethods (Array) - defaults to [ 'GET', 'HEAD', 'OPTIONS' ]
  • disableQuery (Boolean) - defaults to false

Open Source Contributor Requests

  • [ ] Existing methods from 1.x package added to 3.x
  • [ ] Existing tests from 1.x package added to 3.x

Contributors

Name Website
Nick Baugh https://github.com/niftylettuce

License

MIT © Jonathan Ong

Current Tags

  • 3.0.8                                ...           latest (10 months ago)

22 Versions

  • 3.0.8                                ...           10 months ago
  • 3.0.7                                ...           a year ago
  • 3.0.6                                ...           3 years ago
  • 3.0.5                                ...           3 years ago
  • 3.0.4                                ...           4 years ago
  • 3.0.3                                ...           4 years ago
  • 3.0.2                                ...           4 years ago
  • 2.5.0                                ...           4 years ago
  • 2.4.0                                ...           5 years ago
  • 2.3.0                                ...           5 years ago
  • 2.2.0                                ...           5 years ago
  • 2.1.3                                ...           6 years ago
  • 2.1.2                                ...           6 years ago
  • 2.1.1                                ...           6 years ago
  • 2.1.0                                ...           6 years ago
  • 2.0.0                                ...           6 years ago
  • 1.1.1                                ...           6 years ago
  • 1.1.0                                ...           6 years ago
  • 1.0.1                                ...           6 years ago
  • 1.0.0                                ...           7 years ago
  • 0.1.0                                ...           7 years ago
  • 0.0.1                                ...           7 years ago
Downloads
Today 6
This Week 274
This Month 456
Last Day 80
Last Week 275
Last Month 1,088
Dependencies (1)
Dev Dependencies (23)

Copyright 2014 - 2016 © taobao.org |