Keep original args of handler so we have access to the context

juanbzpy / next-csrf

CSRF mitigation for Next.js

https://npm.im/next-csrf

MIT License

140 stars 22 forks source link

Keep original args of handler so we have access to the context #58

Open rduque1 opened 1 year ago

rduque1 commented 1 year ago

In order to have the next context object could

Can this line: https://github.com/j0lv3r4/next-csrf/blob/91774aca0b271512f69976fce1fbc8681a7ca229/src/middleware/setup.ts#L49

be changed to:

return handler(...args)

machadolucas commented 1 year ago

To anyone needing to access the context, I solved this by using the following initialization configuration:

import {nextCsrf} from "next-csrf";

const { csrf, setup : setupFramework } = nextCsrf({
    secret: process.env.CSRF_SECRET,
});

// Hack to allow the use of next-csrf with getServerSideProps, making the context available
const setup = (
    handler: any,
) => async (context: any) => {
    setupFramework(context);
    return handler(context);
};

export { csrf, setup };

BranislavLazic commented 1 year ago

@machadolucas That example is not working. It will not set XSRF-TOKEN cookie and you will get a 403 status code.

machadolucas commented 1 year ago

@machadolucas That example is not working. It will not set XSRF-TOKEN cookie and you will get a 403 status code.

It does work with me. Have you also added the setup in the page? For example:

// Import setup from your config
import {setup} from "../util/yourCsrfConfig";

export const getServerSideProps = setup(async (context: GetServerSidePropsContext) => {
    // ...
});

DerekWolfie commented 7 months ago

Still doesn't work