Enable csrf protection on put, delete (#6)

* Enable csrf protection on put, delete * allow head, use uuid.v4
electrode-io · Oct 3, 2016 · 003e934 · 003e934
1 parent 9d3e5d3
commit 003e934
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/lib/csrf-express.js b/lib/csrf-express.js
@@ -15,7 +15,7 @@ function csrfMiddleware(options) {
   function middleware(req, res, next) {
 
     function createToken() {
-      const id = uuid.v1();
+      const id = uuid.v4();
       const headerPayload = {type: "header", uuid: id};
       const cookiePayload = {type: "cookie", uuid: id};
 
@@ -47,7 +47,8 @@ function csrfMiddleware(options) {
       });
     }
 
-    if (req.method === "POST") {
+    const method = req.method.toUpperCase();
+    if (method !== "GET" && method !== "HEAD") {
       return verifyAndCreateToken();
     }
 

diff --git a/lib/csrf-hapi.js b/lib/csrf-hapi.js
@@ -18,7 +18,7 @@ function csrfPlugin(server, options, next) {
   server.ext("onPreAuth", (request, reply) => {
 
     function createToken() {
-      const id = uuid.v1();
+      const id = uuid.v4();
       const headerPayload = {type: "header", uuid: id};
       const cookiePayload = {type: "cookie", uuid: id};
 
@@ -62,7 +62,8 @@ function csrfPlugin(server, options, next) {
       return reply.continue();
     }
 
-    if (request.method === "post") {
+    const method = request.method.toUpperCase();
+    if (method !== "GET" && method !== "HEAD") {
       return verifyAndCreateToken();
     }