Provide misconfigured error when using cookies without cookie-parser

HISTORY.md

@@ -2,6 +2,7 @@ unreleased
 ==========
 
   * Pass invalid csrf token error to `next()` instead of throwing
+  * Provide misconfigured error when using cookies without cookie-parser
   * deps: cookie@0.2.4
     - perf: enable strict mode
     - perf: use for loop in parse

index.js

@@ -190,23 +190,28 @@ function getIgnoredMethods (methods) {
  */
 
 function getsecret (req, sessionKey, cookie) {
-  var secret
+  var bag
+  var key
 
   if (cookie) {
     // get secret from cookie
-    var bag = cookie.signed
+    var cookieKey = cookie.signed
       ? 'signedCookies'
       : 'cookies'
 
-    secret = req[bag][cookie.key]
-  } else if (req[sessionKey]) {
-    // get secret from session
-    secret = req[sessionKey].csrfSecret
+    bag = req[cookieKey]
+    key = cookie.key
   } else {
+    // get secret from session
+    bag = req[sessionKey]
+    key = 'csrfSecret'
+  }
+
+  if (!bag) {
     throw new Error('misconfigured csrf')
   }
 
-  return secret
+  return bag[key]
 }
 
 /**

test/test.js

@@ -229,7 +229,7 @@ describe('csurf', function () {
     })
   })
 
-  it('should error without secret storage', function (done) {
+  it('should error without session secret storage', function (done) {
     var app = connect()
 
     app.use(csurf())
@@ -239,6 +239,16 @@ describe('csurf', function () {
     .expect(500, /misconfigured csrf/, done)
   })
 
+  it('should error without cookie secret storage', function (done) {
+    var app = connect()
+
+    app.use(csurf({ cookie: true }))
+
+    request(app)
+    .get('/')
+    .expect(500, /misconfigured csrf/, done)
+  })
+
   it('should error without cookieParser secret and signed cookie storage', function (done) {
     var app = connect()