CSRF

![CI](https://github.com/fastify/csrf/actions/workflows/ci.yml)
![NPM version](https://www.npmjs.com/package/@fastify/csrf)
![neostandard javascript style](https://github.com/neostandard/neostandard)

Logic behind CSRF token creation and verification.

Read Understanding-CSRF
for more information on CSRF. Use this module to create custom CSRF middleware.

Looking for a CSRF framework for your favorite framework that uses this
module?

* Express/connect: csurf or
alt-xsrf
* Koa: koa-csrf or
koa-atomic-session

This module is a fork of https://github.com/pillarjs/csrf at f0d66c91ea4be6d30a03bd311ed9518951d9c3e4.

$3

``sh $ npm i @fastify/csrf`

`$3`

This module includes a TypeScript declaration file to enable auto-complete in compatible editors and type information for TypeScript projects.

`API`

`js const Tokens = require('@fastify/csrf')`

`$3`

Create a new token generation/verification instance. The optionsargument is optional and will just use all defaults if missing.

#### Options

Tokens accept these properties in the options object.

##### algorithm

The hash-algorithm to generate the token. Defaults to sha256.

##### saltLength

The length of the internal salt to use, in characters. Internally, the salt is a base 62 string. Defaults to8 characters.

##### secretLength

The length of the secret to generate, in bytes. Note that the secret is passed around base-64 encoded and that this length refers to the underlying bytes, not the length of the base-64 string. Defaults to18 bytes.

##### userInfo

Require user-specific information in tokens.create()andtokens.verify().

##### hmacKey

When set, the hmacKey is used to generate the cryptographic HMAC hash instead of the default hash function.

##### validity

The maximum validity of the token to generate, in milliseconds. Note that the epoch is passed around base-36 encoded. Defaults to0 milliseconds (disabled).

#### tokens.create(secret[, userInfo])

Create a new CSRF token attached to the given secret. The secretis a string, typically generated from thetokens.secret() or tokens.secretSync()methods. This token is what you should add into HTML

 blocks and
expect the user's browser to provide back.

`js const secret = tokens.secretSync() const token = tokens.create(secret)`

The userInfoparameter can be used to protect against cookie tossing attacks (and similar) when the application is deployed with untrusted subdomains. It will encode some user-specific information within the token. It is used only ifuserInfo: trueis passed to the constructor.

#### tokens.secret(callback)

Asynchronously create a new secret, which is a string. The secret is to be kept on the server, typically stored in a server-side session for the user. The secret should be at least per user.

`js tokens.secret(function (err, secret) { if (err) throw err // Do something with the secret })`

#### tokens.secret()

Asynchronously create a new secret and return a Promise. Please seetokens.secret(callback) documentation for full details.

Note: To use promises in Node.js _prior to 0.12_, promises must be "polyfilled" usingglobal.Promise = require('bluebird').

`js tokens.secret().then(function (secret) { // Do something with the secret })`

#### tokens.secretSync()

A synchronous version of tokens.secret(callback). Please seetokens.secret(callback) documentation for full details.

`js const secret = tokens.secretSync()`

#### tokens.verify(secret, token[, userInfo])

Check whether a CSRF token is valid for the given secret, returning a Boolean.

`js if (!tokens.verify(secret, token)) { throw new Error('invalid token!') }`

The userInfo parameter is required if userInfo: truewas configured during initialization. The user-specific information must match what was passed intokens.create()`.

License

Licensed under MIT.

CSRF

![CI](https://github.com/fastify/csrf/actions/workflows/ci.yml)
![NPM version](https://www.npmjs.com/package/@fastify/csrf)
![neostandard javascript style](https://github.com/neostandard/neostandard)

Logic behind CSRF token creation and verification.

Read Understanding-CSRF
for more information on CSRF. Use this module to create custom CSRF middleware.

Looking for a CSRF framework for your favorite framework that uses this
module?

* Express/connect: csurf or
alt-xsrf
* Koa: koa-csrf or
koa-atomic-session

This module is a fork of https://github.com/pillarjs/csrf at f0d66c91ea4be6d30a03bd311ed9518951d9c3e4.

$3

``sh $ npm i @fastify/csrf`

`$3`

This module includes a TypeScript declaration file to enable auto-complete in compatible editors and type information for TypeScript projects.

`API`

`js const Tokens = require('@fastify/csrf')`

`$3`

Create a new token generation/verification instance. The optionsargument is optional and will just use all defaults if missing.

#### Options

Tokens accept these properties in the options object.

##### algorithm

The hash-algorithm to generate the token. Defaults to sha256.

##### saltLength

The length of the internal salt to use, in characters. Internally, the salt is a base 62 string. Defaults to8 characters.

##### secretLength

##### userInfo

Require user-specific information in tokens.create()andtokens.verify().

##### hmacKey

When set, the hmacKey is used to generate the cryptographic HMAC hash instead of the default hash function.

##### validity

The maximum validity of the token to generate, in milliseconds. Note that the epoch is passed around base-36 encoded. Defaults to0 milliseconds (disabled).

#### tokens.create(secret[, userInfo])

`js const secret = tokens.secretSync() const token = tokens.create(secret)`

#### tokens.secret(callback)

Asynchronously create a new secret, which is a string. The secret is to be kept on the server, typically stored in a server-side session for the user. The secret should be at least per user.

`js tokens.secret(function (err, secret) { if (err) throw err // Do something with the secret })`

#### tokens.secret()

Asynchronously create a new secret and return a Promise. Please seetokens.secret(callback) documentation for full details.

Note: To use promises in Node.js _prior to 0.12_, promises must be "polyfilled" usingglobal.Promise = require('bluebird').

`js tokens.secret().then(function (secret) { // Do something with the secret })`

#### tokens.secretSync()

A synchronous version of tokens.secret(callback). Please seetokens.secret(callback) documentation for full details.

`js const secret = tokens.secretSync()`

#### tokens.verify(secret, token[, userInfo])

Check whether a CSRF token is valid for the given secret, returning a Boolean.

`js if (!tokens.verify(secret, token)) { throw new Error('invalid token!') }`

The userInfo parameter is required if userInfo: truewas configured during initialization. The user-specific information must match what was passed intokens.create()`.

License

Licensed under MIT.

@fastify/csrf

CSRF

$3

$3

API

$3

License

@fastify/csrf

CSRF

$3

$3

API

$3

License

Dist Tags

`$3`

`API`

`$3`

`$3`

`API`

`$3`