csurf | CSRF token middleware | Runtime Evironment library

 by   expressjs JavaScript Version: 1.11.0 License: MIT

kandi X-RAY | csurf Summary

kandi X-RAY | csurf Summary

csurf is a JavaScript library typically used in Server, Runtime Evironment, Nodejs, Express.js applications. csurf has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can install using 'npm i xsrf' or download it from GitHub, npm.

Node.js CSRF protection middleware. Requires either a session middleware or cookie-parser to be initialized first. If you have questions on how this module is implemented, please read Understanding CSRF.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              csurf has a medium active ecosystem.
              It has 2111 star(s) with 198 fork(s). There are 41 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 18 open issues and 174 have been closed. On average issues are closed in 33 days. There are 9 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of csurf is 1.11.0

            kandi-Quality Quality

              csurf has 0 bugs and 0 code smells.

            kandi-Security Security

              csurf has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              csurf code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              csurf is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              csurf releases are available to install and integrate.
              Deployable package is available in npm.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi has reviewed csurf and discovered the below as its top functions. This is intended to give you an instant insight into csurf implemented functionality, and help decide if they suit your requirements.
            • Default value validation for CSRF response .
            Get all kandi verified functions for this library.

            csurf Key Features

            No Key Features are available at this moment for csurf.

            csurf Examples and Code Snippets

            How to bind a Razor Pages checkbox click event to server-side code
            JavaScriptdot img1Lines of Code : 53dot img1License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            // itemId can also be Guid
            public async Task OnPostMyAction(long itemId, bool isEnabled)
            {
                await mRepository.EnableItem(itemId, isEnabled);
            
                return new OkResult();
            }
            
            function requestMyAction(itemId, isCheck
            TestServer and HttpClient get BadRequest for antiforgery token in .net core web api
            JavaScriptdot img2Lines of Code : 48dot img2License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            response.Headers.TryGetValues("Set-Cookie", out IEnumerable values)
            
            public class AntiForgeryToken
            {
                public string XsrfToken { get; set; }
                public string[] Cookies { get; set; }
            }
            
            pro
            ASP.NET controller, AJAX GET works, but POST does not (404)
            JavaScriptdot img3Lines of Code : 29dot img3License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            @inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
            
            @{
                string antiForgeryToken = Xsrf.GetAndStoreTokens(Context).RequestToken;
            }
            
            ...
            
            
            
            What is difference between axios and fetch in react native?
            JavaScriptdot img4Lines of Code : 4dot img4License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            Transformers: allow performing transforms on data before request is made or after response is received
            Interceptors: allow you to alter the request or response entirely (headers as well). also perform async operations before request is mad
            Do i have to use csrf protection in React SPA?
            JavaScriptdot img5Lines of Code : 15dot img5License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            ...
            // `xsrfCookieName` is the name of the cookie to use as a value for xsrf token
            xsrfCookieName: 'XSRF-TOKEN', // default
            
            // `xsrfHeaderName` is the name of the http header that carries the xsrf token value
            xsrfHeaderName: 'X-XSRF-TOKEN
            Node js csrf token protection not working
            Lines of Code : 45dot img6License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            HttpClientModule,
            HttpClientXsrfModule.withOptions()
            
            const csrf = require('csurf');
            app.use(bodyParser.urlencoded({
              extended: false
            }));
            // then add cookie parser and csrf config
            app.use(cookieParser());
            app.use(

            Community Discussions

            QUESTION

            node js empty request
            Asked 2022-Apr-11 at 12:47

            Everything worked for me until I added csrf. I use in public/js/editor.js fetch to send the image file to the server:

            ...

            ANSWER

            Answered 2022-Apr-11 at 12:47

            QUESTION

            Firebase how to get the current user
            Asked 2022-Apr-02 at 20:21

            I use express js and firebase for user authorization. After registration, the user enters the profile.

            How do I get the current account on the profile page and get its data? So that even after updating the page, you don't lose the current user?

            I've read about onAuthStateChanged, but I don't understand how to use it in my code. (I wanted to in my profile.write js, but I don't understand how). Or get a token from cookies and receive it? Can I have an example?

            server.js

            ...

            ANSWER

            Answered 2022-Apr-02 at 20:21

            Firebase automatically persists the current user's credentials when they sign in, and tries to restore those credentials when the page/app is reloaded. To detect when that restore has completed, or other state changes, you'll want to use a so-called onAuthStateChanged listener as shown in the documentation on getting the currently signed-in user. From there:

            Source https://stackoverflow.com/questions/71720793

            QUESTION

            No CDN Cache Hits Ever For Firebase Cloud Functions
            Asked 2022-Mar-29 at 03:24

            I have a REST API that I have built with Firebase Cloud Functions. No matter what I try, I can't get any of the endpoints to serve from the CDN cache.

            A few pertinent details:

            • I am using the csurf middleware.
            • I have set (on select endpoints) a cache control header value of private, max-age=3600, s-maxage=86400
            • While the client application requires the user to be authenticated, the requests to the above-referenced endpoints omit any cookies and authentication-related data by setting the options of a typical fetch request like so:
            ...

            ANSWER

            Answered 2022-Mar-22 at 21:20

            Firebase doesn't seem to allow you to subtract items from it - only to add more to it.

            This is security by design:

            Note that Hosting adds Cookie and Authorization to the Vary header by default when a request is made for dynamic content. This ensures that any session or cookie authorization header you use is made part of the cache key, which prevents accidental leaks of content.

            My guess is you'd have to make the clients (or downstream servers) not send the Cookie header.

            You could do that by moving the public parts to another path or domain. But maybe there is also a Firebase Option to tick somewhere, marking the content static instead of dynamic.

            Source https://stackoverflow.com/questions/71578815

            QUESTION

            How to test http api that uses csurf csrf protection with mocha/chai?
            Asked 2022-Jan-23 at 16:54

            Not a duplicate of this one

            I want to know what are the minimum headers/cookies needed to set in order to test an api that uses csurf csrf protection.

            In my server I have:

            ...

            ANSWER

            Answered 2022-Jan-23 at 16:54

            According to the documentation, the token is expected to be in a header named CSRF-Token.

            Source https://stackoverflow.com/questions/70817611

            QUESTION

            ExpressJS + ReactJS SPA - Different CSRF token generated in every request
            Asked 2022-Jan-17 at 14:49

            I have set up the csurf node module to add CSRF protection to my ExpressJS application. The frontend is a ReactJS single page application. The problem is that I'm constantly getting this error with every POST request: ForbiddenError: invalid csrf token. I found out that the CSRF token somehow changes in between requests and doesn't persist. How can I resolve this issue? Here's my Express server code:

            ...

            ANSWER

            Answered 2022-Jan-17 at 14:49

            I figured it out. It's because my browser and server weren't sending cookies. Here's what I did to fix it:

            Client

            1. Add the withCredentials: true option to my instance of axios:

            Source https://stackoverflow.com/questions/70674193

            QUESTION

            "message":"invalid csrf token","code":"EBADCSRFTOKEN"
            Asked 2021-Jun-01 at 06:18

            I read all similar questions in stackoverflow, I checked issues in csurf github page but I could not figure out the issue. This is the express middlewares file:

            ...

            ANSWER

            Answered 2021-Jun-01 at 06:18

            You do not seem to have a proper body parser set up for the encoding type you're using for your form - ie the default x-www-form-urlencoded.

            Express provides such a body parser, just add it to your middleware stack like this:

            Source https://stackoverflow.com/questions/67782250

            QUESTION

            Getting ForbiddenError: invalid csrf token with multer added locally to image upload router
            Asked 2021-May-24 at 16:55

            I am using csurf as recommended in my Express application to guard against cross sites forgeries. I have registered it globally(illustrated with code below) and so far so good.

            Now, I have added multer.js to be able to upload images and as their documentation recommends it, it's more secure to attach multer to each express route where you intend to use.

            Now when I do attach multer to my upload routes, I am faced with a 'ForbiddenError: invalid csrf token' and I really don't know why, as my view I am submitting the form from, as a csrf token attached to it.

            Below is my code and I would really appreciated any help/suggestions. Thank you all

            app.js ...

            ANSWER

            Answered 2021-May-11 at 20:07

            I'm guessing the problem is that when you are uploading a file, the content type of the request becomes multipart/form-data, and you cannot simply pass the csrf token to Express in the body anymore.

            The API allows to pass it in the URL though. Try passing the token in the _csrf parameter, that I think should solve your issue. So simply post the form to .../?_csrf={your_token}. Note though that this is slightly less secure than passing your csrf token in the request body, and might be flagged as a potential vulnerability in later penetration tests if you ever have one.

            Alternatively, for a little more security, you can also pass it as a request header, but that might be a little trickier on the client side. According to the docs, Express will take the token from the following:

            Source https://stackoverflow.com/questions/67453346

            QUESTION

            Express csurf middleware always accepted even if i don't attach _csrf in the req.body from react app but api works in postman as expected
            Asked 2021-Apr-28 at 05:19

            Hi i am trying to acieve CSRF protection in react js and express js application. The express api is working properly with postman, when i attach _csrf : token with the req.body then it works otherwise it throw invalid csrf token. thats perfect.But when i call the api from the react app using axios its working without the csrf token ,please help. thanks

            Here is the code for express: ...

            ANSWER

            Answered 2021-Apr-28 at 05:19

            X-XSRF-TOKEN is automatically set and sent in the request headers by Axios in my react app that's why when I did not set the _csrf token it still works. But in postman, it doesn't work that way that's why I need to add the _csrf token manually in the body.

            Source https://stackoverflow.com/questions/67288963

            QUESTION

            How to solve: "ForbiddenError: invalid csrf token"
            Asked 2021-Apr-25 at 16:11

            I have problems with setting up csrf. I hope that someone can point me in the right direction.

            I'm using next.js with express.js.

            When I refresh the page following happens:

            1. I get a _csurf cookie (dev tools > application > cookies)
            2. a csrf token is logged in my console (-> see last code snipped from context)
            3. when I make a POST request (-> see routes/index.js f.ex. "/aignupQ"), I get the error "Invalid csurf token"; in the request header I can see the _csrf cookie
            4. when I refresh the page and make the POST request again everything works.

            I'm really confused by the error and really don't understand what is wrong. Here is some relevant code:

            server.js:

            ...

            ANSWER

            Answered 2021-Jan-26 at 15:08
            EDIT

            I also found your api path might be wrong. In your axios is await axios.get('csrfToken'). But, I saw /api/csrfToken in your router. Change it to await axios.get('/api/csrfToken')

            Original Answer

            In csurf package, when you use csurf({cookie: true}) with cookie mode in middleware at multiple times, it'll break the csrf token in response header with first time post. You could take a look for more detail in CSRF doesn't work on the first post attempt, I've explain the reason in that post. So, there are two solutions you could use.

            Solution 1

            According to the comments, you use app.use(csruf({cookie: true})) in server.js and router/index.js. Remove the following line in your router/index.js. When you setup csruf in server.js, you could use req.csrfToken() in controllers/csrf.js without setting up csruf again.

            Source https://stackoverflow.com/questions/65874483

            QUESTION

            How to publish Nestjs api in Google App Engine?
            Asked 2021-Apr-18 at 08:05

            I'm trying to put my nestjs api into Google App Engine but I still have an error. I have created my google cloud project first with the google sdk, edited my code as follow:

            main.ts:

            ...

            ANSWER

            Answered 2021-Apr-15 at 23:22

            Take a look on this other post:

            nest Command not found

            It seems you need to install and use npm as:

            @nestjs/cli instead of just nest

            Source https://stackoverflow.com/questions/67111581

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install csurf

            This is a Node.js module available through the npm registry. Installation is done using the npm install command:.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            Install
            Maven
            Gradle
            CLONE
          • HTTPS

            https://github.com/expressjs/csurf.git

          • CLI

            gh repo clone expressjs/csurf

          • sshUrl

            git@github.com:expressjs/csurf.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link