dougwilson
commented
5 years ago That's as it is currently designed. Issues #120 is tracking making expiring ones, and a pull request to implement is welcome!
Closed ptantiku closed 5 years ago
dougwilson
commented
5 years ago That's as it is currently designed. Issues #120 is tracking making expiring ones, and a pull request to implement is welcome!
dougwilson
commented
5 years ago Pull requests to implement the feature you want are welcome.
I found that this module only checks whether the submitted CSRF token is valid against the secret inside session/cookie secret at this line https://github.com/expressjs/csurf/blob/master/index.js#L111.
However, when a correct token is submitted, and it is verified, the code does nothing to the secret. So, I can reuse the same token over-and-over again because the secret does not change.
What it should do is when a valid token is verified, it should regenerate a new secret.