Cannot read property '_csrfSecret' of undefined

[knownasilya]

Error when accessing / endpoint.

TypeError: Cannot read property '_csrfSecret' of undefined
   at Object.create (/Users/iradchenko/workspace/nycbb/node_modules/lusca/lib/token.js:13:25)
   at csrf (/Users/iradchenko/workspace/nycbb/node_modules/lusca/lib/csrf.js:28:32)
   at /Users/iradchenko/workspace/nycbb/node_modules/lusca/index.js:48:21
   at csp (/Users/iradchenko/workspace/nycbb/node_modules/lusca/lib/csp.js:32:9)
   at /Users/iradchenko/workspace/nycbb/node_modules/lusca/index.js:48:21
   at hsts (/Users/iradchenko/workspace/nycbb/node_modules/lusca/lib/hsts.js:24:9)
   at /Users/iradchenko/workspace/nycbb/node_modules/lusca/index.js:48:21
   at p3p (/Users/iradchenko/workspace/nycbb/node_modules/lusca/lib/p3p.js:15:9)
   at /Users/iradchenko/workspace/nycbb/node_modules/lusca/index.js:48:21
   at xframe (/Users/iradchenko/workspace/nycbb/node_modules/lusca/lib/xframes.js:12:9)

My lusca options look like this:

app.use(lusca({
  csrf: true,
  csp: {
    policy: {
      'default-src': '\'self\''
    }
  },
  xframe: 'SAMEORIGIN',
  p3p: 'ABCDEF',
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true
  },
  xssProtection: true
}));

[knownasilya]

Looks like lusca depends on req.session to be present via something like express-session. Probably a good idea to provide a warning if session doesn't exist.

Also a note on the readme saying that it depends on a session middleware..

[grawk]

I agree on both points. We will make changes accordingly.

[grawk]

https://github.com/krakenjs/lusca/commit/33795e8077c412d92e74c2aaf58567103426c439 resolves this issue with a thrown error when req.session is not available. In addition, a bold warning has been added to README to indicate that a session object is required in order to use lusca. This is published in v1.0.2