Is the endpoint `/csrf-token` shown in the examples actually needed for protection?

[strazto]

In all of your examples (& userdocs), you demonstrate a separate GET route /csrf-token that returns the generated token.

https://github.com/Psifi-Solutions/csrf-csrf/blob/3a016c5a849521994f73121c8e58521efb1b421c/example/complete/src/index.js#L48-L52

I'm not clear on whether this separate endpoint is intended to demonstrate the use of a manual generateToken call, or if it's actually necessary for the operation of the middleware.

I've reviewed the source, and it looks like it's not necessary to implement this endpoint.

Am I correct in thinking this?

[psibean]

Correct, that endpoint specifically is not necessary, it depends on your use case! You will need to generateToken at some point in order to have a token, and you do need to return the value from generateToken to your frontend in some way from some sort of response (json, html, or otherwise), this way your frontend can include it in the necessary header.

In a case where you have an SPA which is not served by the express app, you'd likely need a specific endpoint, or an initial data fetching end point, that includes a CSRF token. Alternatively, if your SPA is served by your express app, you could inject the csrf token into a meta tag on the entry page to the frontend.

The examples are a bit dated, they should really make use of getSessionIdentifier and be a bit more realistic in their implementation, I had planned on revamping the examples with v4, but maybe I should do it beforehand.

[psibean]

Closing this for now, feel free to comment back and re-open if you're still uncertain. If you have any other issues/concerns, feel free to raise another issue.