Skip to content
This repository has been archived by the owner on May 17, 2019. It is now read-only.

fusionjs/fusion-plugin-csrf-protection

Repository files navigation

fusion-plugin-csrf-protection

Build status

Provides a modified fetch that is automatically secure against CSRF attacks for non-idempotent HTTP methods.

This enhancer handles csrf protection by adding a server side middleware that checks for a valid csrf token on requests for non-idempotent HTTP methods (e.g. POST).

Table of contents


Installation

yarn add fusion-plugin-csrf-protection

Usage

import {createPlugin} from 'fusion-core';
import {FetchToken} from 'fusion-tokens';

const pluginUsingFetch = createPlugin({
  deps: {
    fetch: FetchToken,
  },
  provides: ({fetch}) => {
    return {
      getUser: () => {
        return fetch('/get-user');
      }
    }
  },
});

Setup

// src/main.js
import React from 'react';
import {FetchToken} from 'fusion-tokens';
import App from 'fusion-react';
import CsrfProtectionEnhancer, {
  CsrfIgnoreRoutesToken,
} from 'fusion-plugin-csrf-protection';
import fetch from unfetch;

export default () => {
  const app = new App(<div></div>);
  app.register(FetchToken, fetch);
  app.enhance(FetchToken, CsrfProtectionEnhancer);
  // optional
  __NODE__ && app.register(CsrfIgnoreRoutesToken, []);
}

API

Registration API

CsrfProtection
import CsrfProtection from 'fusion-plugin-csrf-protection';

The csrf protection plugin. Typically, it should be registered to the FetchToken. Provides the fetch api and a server side middleware for validating csrf requests.

FetchToken
import {FetchToken} from 'fusion-tokens';

The canonical token for an implementation of fetch. This plugin is generally registered on that token. For more, see the fusion-tokens repo.

Dependencies

CsrfIgnoreRoutesToken
import {CsrfIgnoreRoutesToken} from 'fusion-plugin-csrf-protection';

A list of routes to ignore csrf protection on. This is rarely needed and should be used with caution.

Types

type CsrfIgnoreRoutes = Array<string>;

Default value

Empty array []

Service API

const response: Response = fetch('/test', {
  method: 'POST',  
})

fetch: (url: string, options: Object) => Promise - Client-only. A decorated fetch function that automatically does pre-flight requests for CSRF tokens if required.

See https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API for more on the fetch api.