mirror of
https://github.com/sasjs/server.git
synced 2025-12-10 19:34:34 +00:00
33 lines
1.1 KiB
TypeScript
33 lines
1.1 KiB
TypeScript
import { RequestHandler } from 'express'
|
|
import csrf from 'csrf'
|
|
|
|
const csrfTokens = new csrf()
|
|
const secret = csrfTokens.secretSync()
|
|
|
|
export const generateCSRFToken = () => csrfTokens.create(secret)
|
|
|
|
export const csrfProtection: RequestHandler = (req, res, next) => {
|
|
if (req.method === 'GET') return next()
|
|
|
|
// Reads the token from the following locations, in order:
|
|
// req.body.csrf_token - typically generated by the body-parser module.
|
|
// req.query.csrf_token - a built-in from Express.js to read from the URL query string.
|
|
// req.headers['csrf-token'] - the CSRF-Token HTTP request header.
|
|
// req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
|
|
// req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
|
|
// req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.
|
|
|
|
const token =
|
|
req.body?.csrf_token ||
|
|
req.query?.csrf_token ||
|
|
req.headers['csrf-token'] ||
|
|
req.headers['xsrf-token'] ||
|
|
req.headers['x-csrf-token'] ||
|
|
req.headers['x-xsrf-token']
|
|
|
|
if (!csrfTokens.verify(secret, token)) {
|
|
return res.status(400).send('Invalid CSRF token!')
|
|
}
|
|
next()
|
|
}
|