-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed cookies are not supported #13
Comments
Can you please give an example. |
Quite busy now, I'll try to get to it on Sunday evening. Thank you for your patience. |
Here's an example code that results in HTTP 500 'invalid csrf token' error when the form is submitted: const fastify = require('fastify')()
const fastifyCookie = require('fastify-cookie')
const fastifyFormBody = require('fastify-formbody')
const fastifyCSRF = require('fastify-csrf')
fastify.register(fastifyCookie, {
secret: 'my-secret',
})
fastify.register(fastifyFormBody)
fastify.register(fastifyCSRF, {
cookie: {
signed: true,
},
})
fastify.get('/', (request, reply) => {
reply.type('text/html; charset=utf-8')
reply.send(`
<!DOCTYPE html>
<html>
<head><meta charset="UTF-8"><title>Signed cookie test</title></head>
<body>
<form action="/" method="post">
<input type="hidden" name="_csrf" value="${request.csrfToken()}">
<button>Test signed CSRF cookie</button>
</form>
</body>
</html>
`)
})
fastify.post('/', (request, reply) => {
reply.type('text/plain; charset=UTF-8').send('CSRF OK')
})
fastify.listen(3000) Removing the Now, I know it's not really needed security-wise to have the cookie signed, however, it would be nice to either support it, or drop the flag with a warning to the console. |
Confirmed. Pls submit PR |
Sorry for the delay, the PR is ready. |
Hello again,
setting the
cookie.signed
flagtrue
in the options results infastify-cookie
signing the cookies being set by this middleware, however, fastify-csrf does not properly handle reading signed cookies, since they need to be "unsigned" to get to the raw value.I recommmend adding an
if (cookie.signed) { ... }
check to thegetSecret()
function to make this work.I am willing to submit a PR, if you'd prefer me to do so.
Thank you in advance.
The text was updated successfully, but these errors were encountered: