search

koajs / csrf

CSRF tokens for koa
MIT License
264 stars 32 forks source link

Question: omitted options do not set defaults in this.tokens #44

Closed jcalfee closed 5 years ago

jcalfee commented 7 years ago

If opts is omitted, this.tokens = csrf(opts) is created without the default values .. all the default values went into this.opts .. So either that is a bug or the code could probably be clearer commenting why this is the case and perhaps moving this.tokens = csrf(opts); closer to the top.

I think the fix is to change: this.tokens = csrf(opts); to this.tokens = csrf(this.opts);

  constructor(opts) {

    this.opts = opts || {};

    if (!this.opts.invalidSessionSecretMessage)
      this.opts.invalidSessionSecretMessage = 'Invalid session secret';

    if (!this.opts.invalidSessionSecretStatusCode)
      this.opts.invalidSessionSecretStatusCode = 403;

    if (!this.opts.invalidTokenMessage)
      this.opts.invalidTokenMessage = 'Invalid CSRF token';

    if (!this.opts.invalidTokenStatusCode)
      this.opts.invalidTokenStatusCode = 403;

    if (!this.opts.excludedMethods)
      this.opts.excludedMethods = [ 'GET', 'HEAD', 'OPTIONS' ];

    if (typeof this.opts.disableQuery !== 'boolean')
      this.opts.disableQuery = false;

    this.tokens = csrf(opts);

    return this.middleware;

}

https://github.com/koajs/csrf/blob/master/src/index.js#L13

stephenmathieson commented 7 years ago

It's a bug for sure. Fixed in #45