However, when a correct token is submitted, and it is verified, the code does nothing to the secret. So, I can reuse the same token over-and-over again because the secret does not change.
What it should do is when a valid token is verified, it should regenerate a new secret.
I found that this module only checks whether the submitted CSRF token is valid against the secret inside session/cookie secret at this line https://github.com/expressjs/csurf/blob/master/index.js#L111.
However, when a correct token is submitted, and it is verified, the code does nothing to the secret. So, I can reuse the same token over-and-over again because the secret does not change.
What it should do is when a valid token is verified, it should regenerate a new secret.