Closed hopkins385 closed 1 year ago
Ok, after trying out your playground example, I figured out that I have to call useCsrf();
in the vue components itself (on the client side), before I make the api call since the api call is inside of a composable.
But that does exposes the csrf-token and the csrf (__Host-csrf) cookie to the client. Is that intentionally?
Hello @hopkins385,
yes I should have added the useCsrf()
in the doc 👍
Yes, both need to be exposed, the token to be added in each request header and the cookie to verify the token on the server side. Thus, an attacker cannot forge a request, because he cannot know in advance the correct value of the token that matches the cookie
See OWASP CSRF cheatsheet 😉
:tada: This issue has been resolved in version 1.0.1 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Ok, cool. In the meantime I've created a global middleware to add the useCsrf() to every request, because I had issues when navigating between pages as the useCsrf defined in the vue-component would only be executed on a full page reload, but not on a route change e.g. via NuxtLink.
Hope this helps all others who encounter similar issues. ;-)
Maybe worth to mention in docu?
./middleware/csrf.global.ts
export default defineNuxtRouteMiddleware(() => {
useCsrf();
});
Thanks for the interest, just for information, with the last release (1.1.0) it's no longer necessary to manually (or via middleware) call the useCsrf() function :)
Hi guys,
first of all thank you very much for the package! Unfortunately it seems to not work. What I've observed so far:
The csrf-token remains "undefined" even if the cookie is set properly.
nuxt config
Request header
Response header
package json (relevant parts)
api call