CSRF tokens for Koa
NOTE: As of v5.0.0+
ctx.csrf
,ctx_csrf
, andctx.response.csrf
are removed – instead usectx.state._csrf
. Furthermore we have droppedinvalidTokenMessage
andinvalidTokenStatusCode
in favor of anerrorHandler
function option.
npm:
npm install koa-csrf
-
Add middleware in Koa app (see options below):
const Koa = require('koa'); const bodyParser = require('koa-bodyparser'); const session = require('koa-generic-session'); const convert = require('koa-convert'); const CSRF = require('koa-csrf'); const app = new Koa(); // set the session keys app.keys = [ 'a', 'b' ]; // add session support app.use(convert(session())); // add body parsing app.use(bodyParser()); // add the CSRF middleware app.use(new CSRF()); // your middleware here (e.g. parse a form submit) app.use((ctx, next) => { if (![ 'GET', 'POST' ].includes(ctx.method)) return next(); if (ctx.method === 'GET') { ctx.body = ctx.state._csrf; return; } ctx.body = 'OK'; }); app.listen();
-
Add the CSRF token in your template forms:
Jade Template:
form(action='/register', method='POST') input(type='hidden', name='_csrf', value=_csrf) input(type='email', name='email', placeholder='Email') input(type='password', name='password', placeholder='Password') button(type='submit') Register
EJS Template:
<form action="/register" method="POST"> <input type="hidden" name="_csrf" value="<%= _csrf %>" /> <input type="email" name="email" placeholder="Email" /> <input type="password" name="password" placeholder="Password" /> <button type="submit">Register</button> </form>
errorHandler
(Function) - defaults to a function that returnsctx.throw(403, 'Invalid CSRF token')
excludedMethods
(Array) - defaults to[ 'GET', 'HEAD', 'OPTIONS' ]
disableQuery
(Boolean) - defaults tofalse
ignoredPathGlobs
(Array) - defaults to an empty Array, but you can pass an Array of glob paths to ignore
Name | Website |
---|---|
Nick Baugh | https://github.com/niftylettuce |
Imed Jaberi | https://www.3imed-jaberi.com/ |