Nestjs CSRF token validator

Table of Contents

- About
- Usage
- How to verify csrf token
- Restful API Setup
- GraphQL Setup

About

Nestjs CSRF protection middleware.
If you have questions on how this module is implemented, please read Understanding CSRF.

$3

- current -> @nestjs/common >= 10.x
- 1.0.7 -> @nestjs/common ^9.4
- 1.0.2 -> @nestjs/common ^7.6

$3

Requires either a session middleware or cookie-parser to be initialized first, and need enableCors.

``javascript
app.use(cookieParser());
`

$3

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

`
$ npm install ncsrf --save
`

or

`
$ yarn add ncsrf
`

Usage

$3

`javascript
import { nestCsrf, CsrfFilter } from "ncsrf";
import cookieParser from "cookie-parser";

app.use(cookieParser());
app.use(nestCsrf());
`

$3

- signed - indicates if the cookie should be signed (defaults to false).
- key - the name of the cookie to use to store the token secret (defaults to '\_csrf').
- ttl - The time to live of the cookie use to store the token secret (default 300s).

$3

`javascript
app.useGlobalFilters(new CsrfFilter());
`

Or use your custom exception filter by catch 2 class

`javascript
CsrfInvalidException;
`

And

`javascript
CsrfNotFoundException;
`

$3

HTTP Request must be have at least one of these headers:

- csrf-token
- xsrf-token
- x-csrf-token
- x-xsrf-token
or query param:
- \_csrf
or body param:
- \_csrf

Restful API Setup

Important: Request must be sent with withCredentials set to true to allow cookies to be sent from the frontend or credentials set to include in fetch API.

$3

`javascript
@Get('/token')
getCsrfToken(@Req() req): any {
return {
token: req.csrfToken()
}
}
`

$3

`javascript
import {Csrf} from "ncsrf";
...
@Post()
@Csrf()
needProtect(): string{
return "Protected!";
}
`

$3

`javascript
import {Csrf} from "ncsrf";
...
@Post()
@Csrf("Custom exception message")
needProtect(): string{
return "Protected!";
}
`

GraphQL Setup

Important: Request must be sent with withCredentials set to true to allow cookies to be sent from the frontend or credentials set to include in fetch API.

$3

`javascript
@Query((returns) => string, { name: 'getToken', nullable: false })
async getUsers(@Context('req') req: any) {
return req?.csrfToken();
}
`

$3

`javascript
import {CsrfQL} from "ncsrf";
...
@Mutation((returns) => string, { name: 'needProtect', nullable: false })
@CsrfQL()
needProtect(): string{
return "Protected!";
}
`

$3

`javascript
import {CsrfQL} from "ncsrf";
...
@Mutation((returns) => string, { name: 'needProtect', nullable: false })
@CsrfQL("Custom exception message")
needProtect(): string{
return "Protected!";
}
``

$3

- If you have any issue, please create an issue.
- If you want to contribute, please create a pull request.

$3