api/csrf

api/csrf

↓ Members.

↓ Methods.

module:api/csrf

Description:

CSRF token format: TYPE,RANDOM_INT,EXPIRE_MS,[UID]

type is
- h for header
- c for cookie
Implements double cookie protection using HTTP and cookie tokens, both must be present. This means a web app must handle the HTTP header, store and return in all API requests.

In addition a token may contain the user id which must be the same for logged in users.

It must be configured to be used, by default no paths are set

Source:

api/csrf.js, line 41

Examples

enable public CSRF token, this token will be returned later to make sure a user came from the sire, not from email

api-csrf-pub-path = ^/pub/$

On all account access set new token

api-csrf-set-path = ^/account/get$

Verify token for logout, i.e. will refuse to logout if not valid

api-csrf-check-path = ^/logout/

Members

(static) age :int

Description:

Default token age in ms

Source:

api/csrf.js, line 71

Default Value:

>3600000

Description:

Header name

Source:

api/csrf.js, line 66

Default Value:

>x-csrf-token

Methods

(static) check(req, optionsopt)

Description:

For configured endpoints check for a token and fail if not present or invalid

Source:

api/csrf.js, line 119

Parameters:

Name	Type	Attributes	Description
`req`	IncomingRequest
`options`	object	<optional>

(static) clear(req)

Description:

Reset CSRF tokens from cookies and headers

Source:

api/csrf.js, line 174

Parameters:

Name	Type	Description
`req`	IncomingRequest

(static) get(req) → {string}

Description:

Return HTTP CSRF token, can be used in templates or forms, the cookie token will reuse the same token

Source:

api/csrf.js, line 76

Parameters:

Name	Type	Description
`req`	IncomingRequest

Returns:

Type	Description
string

(static) skip(req)

Description:

Do not return CSRF token in cooies or headers

Source:

api/csrf.js, line 163

Parameters:

Name	Type	Description
`req`	IncomingRequest

(static) verify(req) → {object}

Description:

Returns .ok == false if CSRF token verification fails, both header and cookie are checked and retuned as .h and .c

Source:

api/csrf.js, line 93

Parameters:

Name	Type	Description
`req`	IncomingRequest

Returns:

Type	Description
object	as { ok, h, c }

↓ Members.

↓ Methods.

module:api/csrf

Examples

Members

(static) age :int

(static) header :string

Methods

(static) check(req, optionsopt)

Parameters:

(static) clear(req)

Parameters:

(static) get(req) → {string}

Parameters:

Returns:

(static) skip(req)

Parameters:

(static) verify(req) → {object}

Parameters:

Returns: