Exposed verify token. Fixes #43.

expressjs / csurf

CSRF token middleware

MIT License

2.3k stars 217 forks source link

Exposed verify token. Fixes #43. #82

Open YourDeveloperFriend opened 9 years ago

dougwilson commented 9 years ago

Please add some tests and documentation :)

YourDeveloperFriend commented 9 years ago

Please add some tests and documentation :)

Done!

dougwilson commented 9 years ago

Thanks, looking good! The tests are failing in Node.js 0.12 and up, it looks like. Seems like just an issue in the tests themselves, I would guess.

YourDeveloperFriend commented 9 years ago

Awesome, I'll take a look at it in 0.12 and see if I can find out what's going on.

camacho commented 8 years ago

@YourDeveloperFriend @dougwilson Any update on the status of this PR? Tests seem to be passing and code approved - would be great to have access to this functionality without having to use a forked version. Happy to contribute if there's more work to be done.

dougwilson commented 8 years ago

Hi @camacho , sorry, I didn't realize the issue was addressed, as there was no follow-up comment after "I'll take a look" and GitHub provides no notifications for when new commits are pushed to a PR, so it completely dropped off my radar.

camacho commented 8 years ago

no worries @dougwilson - is there anything additional that needs to be done with this PR?

mindvox commented 8 years ago

This would be great to get implemented.. would be nice to base64 encode/decode or encrypt tokens during use.

JustinLivi commented 8 years ago

Is there anything I could do to help move this along? I was about to fork myself to build this exact feature. I would very much prefer to be able to use the upstream library.

alvarotrigo commented 7 years ago

It was never merged?

YourDeveloperFriend commented 7 years ago

AFAIK there's nothing on my end that needs to happen. Please let me know if there's something that's missing from my PR.

iofluxdev1 commented 6 years ago

How about getting this merged in. It has been 2 years...

davidjb commented 6 years ago

👍 For this feature. My use case is the same as #43 in that I'm validating state within an OAuth callback.

jamesfiltness commented 6 years ago

👍 for this. I also want to use csurf to validate state in an OAuth context.

jamesfiltness commented 6 years ago

For anyone needing csurf in the context of an OAuth callback you can use the following as a middleware:

const csrfProtection = csrf({
  value: function(req) {
    // grab the csrf token from the query param
    return req.query.state;
  },
  // by default csurf ignores GET requests
  ignoreMethods: ['HEAD', 'OPTIONS'],
});

router.get('/', csrfProtection, require('./kloudless-oauth-callback'));