Skip to content

huy97/csrf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
src
src
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 
yarn.lock
yarn.lock
 
 

Repository files navigation

Nestjs CSRF token validator

Table of Contents

About

Nestjs CSRF protection middleware. If you have questions on how this module is implemented, please read Understanding CSRF.

Deps version

  • current -> @nestjs/common >= 10.x
  • 1.0.7 -> @nestjs/common ^9.4
  • 1.0.2 -> @nestjs/common ^7.6

Prerequisites

Requires either a session middleware or cookie-parser to be initialized first, and need enableCors.

app.use(cookieParser());

Installing

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install ncsrf --save

or

$ yarn add ncsrf

Usage

Import in main.ts to enable the middleware globally

import { nestCsrf, CsrfFilter } from "ncsrf";
import cookieParser from "cookie-parser";

app.use(cookieParser());
app.use(nestCsrf());

nestCsrf([options])

  • signed - indicates if the cookie should be signed (defaults to false).
  • key - the name of the cookie to use to store the token secret (defaults to '_csrf').
  • ttl - The time to live of the cookie use to store the token secret (default 300s).

Custom exception message

app.useGlobalFilters(new CsrfFilter());

Or use your custom exception filter by catch 2 class

CsrfInvalidException;

And

CsrfNotFoundException;

How to verify csrf token

HTTP Request must be have at least one of these headers:

  • csrf-token
  • xsrf-token
  • x-csrf-token
  • x-xsrf-token
    or query param:
  • _csrf
    or body param:
  • _csrf

Restful API Setup

Important: Request must be sent with withCredentials set to true to allow cookies to be sent from the frontend or credentials set to include in fetch API.

Generate token here

  @Get('/token')
  getCsrfToken(@Req() req): any {
    return {
      token: req.csrfToken()
    }
  }

Protected route with csrf

  import {Csrf} from "ncsrf";
  ...
  @Post()
  @Csrf()
  needProtect(): string{
    return "Protected!";
  }

Protected route with csrf and custom exception message

  import {Csrf} from "ncsrf";
  ...
  @Post()
  @Csrf("Custom exception message")
  needProtect(): string{
    return "Protected!";
  }

GraphQL Setup

Important: Request must be sent with withCredentials set to true to allow cookies to be sent from the frontend or credentials set to include in fetch API.

Generate token here

  @Query((returns) => string, { name: 'getToken', nullable: false })
  async getUsers(@Context('req') req: any) {
    return req?.csrfToken();
  }

Protected route with csrf

  import {CsrfQL} from "ncsrf";
  ...
  @Mutation((returns) => string, { name: 'needProtect', nullable: false })
  @CsrfQL()
  needProtect(): string{
    return "Protected!";
  }

Protected route with csrf and custom exception message

  import {CsrfQL} from "ncsrf";
  ...
  @Mutation((returns) => string, { name: 'needProtect', nullable: false })
  @CsrfQL("Custom exception message")
  needProtect(): string{
    return "Protected!";
  }

Issue & contribute

  • If you have any issue, please create an issue.
  • If you want to contribute, please create a pull request.

Thank you for using this module.

About

Simple NestJS CSRF verify token

Topics

csrf nestjs ncsrf

Resources

Readme
Activity

Stars

18 stars

Watchers

1 watching

Forks

8 forks
Report repository

Releases 6

v1.1.0 Latest
Feb 17, 2024
+ 5 releases

Packages

No packages published

Contributors 4

Languages