koa-csrf
CSRF tokens for Koa
NOTE: As of v5.0.0+
ctx.csrf,ctx_csrf, andctx.response.csrfare removed – instead usectx.state._csrf. Furthermore we have droppedinvalidTokenMessageandinvalidTokenStatusCodein favor of anerrorHandlerfunction option.
Table of Contents
Install
npm:
npm install koa-csrfUsage
-
Add middleware in Koa app (see options below):
const Koa = require('koa'); const bodyParser = require('koa-bodyparser'); const session = require('koa-generic-session'); const convert = require('koa-convert'); const CSRF = require('koa-csrf'); const app = new Koa(); // set the session keys app.keys = [ 'a', 'b' ]; // add session support app.use(convert(session())); // add body parsing app.use(bodyParser()); // add the CSRF middleware app.use(new CSRF()); // your middleware here (e.g. parse a form submit) app.use((ctx, next) => { if (![ 'GET', 'POST' ].includes(ctx.method)) return next(); if (ctx.method === 'GET') { ctx.body = ctx.state._csrf; return; } ctx.body = 'OK'; }); app.listen(); -
Add the CSRF token in your template forms:
Jade Template:
form(action='/register', method='POST') input(type='hidden', name='_csrf', value=_csrf) input(type='email', name='email', placeholder='Email') input(type='password', name='password', placeholder='Password') button(type='submit') RegisterEJS Template:
<form action="/register" method="POST"> <input type="hidden" name="_csrf" value="<%= _csrf %>" /> <input type="email" name="email" placeholder="Email" /> <input type="password" name="password" placeholder="Password" /> <button type="submit">Register</button> </form>
Options
errorHandler(Function) - defaults to a function that returnsctx.throw(403, 'Invalid CSRF token')excludedMethods(Array) - defaults to[ 'GET', 'HEAD', 'OPTIONS' ]disableQuery(Boolean) - defaults tofalseignoredPathGlobs(Array) - defaults to an empty Array, but you can pass an Array of glob paths to ignore
Contributors
| Name | Website |
|---|---|
| Nick Baugh | https://github.com/niftylettuce |
| Imed Jaberi | https://www.3imed-jaberi.com/ |