feat: added ctx.state._csrf, removed ctx.csrf, ctx._csrf, and ctx.res…

…ponse.csrf (fixes #50)
koajs · Jul 2, 2022 · db4df33 · db4df33
1 parent 8265e53
commit db4df33
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 56 deletions.
diff --git a/README.md b/README.md
@@ -9,13 +9,14 @@
 
 > CSRF tokens for Koa
 
+> **NOTE:** As of v5.0.0+ `ctx.csrf`, `ctx_csrf`, and `ctx.response.csrf` are removed – instead use `ctx.state._csrf`
+
 
 ## Table of Contents
 
 * [Install](#install)
 * [Usage](#usage)
 * [Options](#options)
-* [Open Source Contributor Requests](#open-source-contributor-requests)
 * [Contributors](#contributors)
 * [License](#license)
 
@@ -64,7 +65,7 @@ npm install koa-csrf
      if (![ 'GET', 'POST' ].includes(ctx.method))
        return next();
      if (ctx.method === 'GET') {
-       ctx.body = ctx.csrf;
+       ctx.body = ctx.state._csrf;
        return;
      }
      ctx.body = 'OK';
@@ -79,7 +80,7 @@ npm install koa-csrf
 
    ```jade
    form(action='/register', method='POST')
-     input(type='hidden', name='_csrf', value=csrf)
+     input(type='hidden', name='_csrf', value=_csrf)
      input(type='email', name='email', placeholder='Email')
      input(type='password', name='password', placeholder='Password')
      button(type='submit') Register
@@ -89,7 +90,7 @@ npm install koa-csrf
 
    ```ejs
    <form action="/register" method="POST">
-     <input type="hidden" name="_csrf" value="<%= csrf %>" />
+     <input type="hidden" name="_csrf" value="<%= _csrf %>" />
      <input type="email" name="email" placeholder="Email" />
      <input type="password" name="password" placeholder="Password" />
      <button type="submit">Register</button>
@@ -103,12 +104,7 @@ npm install koa-csrf
 * `invalidTokenStatusCode` (Number) - defaults to `403`
 * `excludedMethods` (Array) - defaults to `[ 'GET', 'HEAD', 'OPTIONS' ]`
 * `disableQuery` (Boolean) - defaults to `false`
-
-
-## Open Source Contributor Requests
-
-* [ ] Existing methods from 1.x package added to 3.x
-* [ ] Existing tests from 1.x package added to 3.x
+* `ignoredPathGlobs` (Array) - defaults to an empty Array, but you can pass an Array of glob paths to ignore
 
 
 ## Contributors

diff --git a/index.js b/index.js
@@ -1,4 +1,6 @@
 const csrf = require('csrf');
+const isSANB = require('is-string-and-not-blank');
+const multimatch = require('multimatch');
 
 function CSRF(opts = {}) {
   const tokens = csrf(opts);
@@ -8,65 +10,47 @@ function CSRF(opts = {}) {
     invalidTokenStatusCode: 403,
     excludedMethods: ['GET', 'HEAD', 'OPTIONS'],
     disableQuery: false,
+    ignoredPathGlobs: [],
     ...opts
   };
 
-  return function (ctx, next) {
-    Object.defineProperty(ctx, 'csrf', {
-      get() {
-        if (ctx._csrf) {
-          return ctx._csrf;
-        }
+  // eslint-disable-next-line complexity
+  return async function (ctx, next) {
+    if (!ctx.session) return next();
 
-        if (!ctx.session) {
-          return null;
-        }
+    if (!ctx.session.secret) ctx.session.secret = await tokens.secret();
 
-        if (!ctx.session.secret) {
-          ctx.session.secret = tokens.secretSync();
-        }
+    if (!ctx.state._csrf) ctx.state._csrf = tokens.create(ctx.session.secret);
 
-        ctx._csrf = tokens.create(ctx.session.secret);
+    if (opts.excludedMethods.includes(ctx.method)) return next();
 
-        return ctx._csrf;
-      }
-    });
-
-    Object.defineProperty(ctx.response, 'csrf', {
-      get: () => ctx.csrf
-    });
-
-    if (opts.excludedMethods.includes(ctx.method)) {
-      return next();
+    // check against ignored/whitelisted redirect middleware paths
+    if (
+      Array.isArray(opts.ignoredPathGlobs) &&
+      opts.ignoredPathGlobs.length > 0
+    ) {
+      const match = multimatch(ctx.path, opts.ignoredPathGlobs);
+      if (Array.isArray(match) && match.length > 0) return next();
     }
 
-    if (!ctx.session.secret) {
-      ctx.session.secret = tokens.secretSync();
-    }
+    const bodyToken = isSANB(ctx.request.body._csrf)
+      ? ctx.request.body._csrf
+      : false;
 
-    const bodyToken =
-      ctx.request.body && typeof ctx.request.body._csrf === 'string'
-        ? ctx.request.body._csrf
+    const queryToken =
+      !bodyToken && !opts.disableQuery && ctx.query && isSANB(ctx.query._csrf)
+        ? ctx.query._csrf
         : false;
 
     const token =
       bodyToken ||
-      (!opts.disableQuery && ctx.query && ctx.query._csrf) ||
+      queryToken ||
       ctx.get('csrf-token') ||
       ctx.get('xsrf-token') ||
       ctx.get('x-csrf-token') ||
       ctx.get('x-xsrf-token');
 
-    if (!token) {
-      return ctx.throw(
-        opts.invalidTokenStatusCode,
-        typeof opts.invalidTokenMessage === 'function'
-          ? opts.invalidTokenMessage(ctx)
-          : opts.invalidTokenMessage
-      );
-    }
-
-    if (!tokens.verify(ctx.session.secret, token)) {
+    if (!token || !tokens.verify(ctx.session.secret, token)) {
       return ctx.throw(
         opts.invalidTokenStatusCode,
         typeof opts.invalidTokenMessage === 'function'

diff --git a/package.json b/package.json
@@ -22,14 +22,16 @@
     }
   ],
   "dependencies": {
-    "csrf": "^3.1.0"
+    "csrf": "^3.1.0",
+    "is-string-and-not-blank": "^0.0.2",
+    "multimatch": "5"
   },
   "devDependencies": {
     "@commitlint/cli": "^17.0.3",
     "@commitlint/config-conventional": "^17.0.3",
     "ava": "^4.3.0",
     "cross-env": "^7.0.3",
-    "eslint": "^8.18.0",
+    "eslint": "^8.19.0",
     "eslint-config-xo-lass": "^2.0.1",
     "fixpack": "^4.0.0",
     "husky": "^8.0.1",

diff --git a/test/test.js b/test/test.js
@@ -2,7 +2,6 @@ const test = require('ava');
 const Koa = require('koa');
 const bodyParser = require('koa-bodyparser');
 const session = require('koa-generic-session');
-const convert = require('koa-convert');
 const supertest = require('supertest');
 
 const CSRF = require('..');
@@ -11,7 +10,10 @@ const tokenRegExp = /^\w+-[\w+/-]+/;
 
 test.before((t) => {
   t.context.request = getApp();
-  t.context.requestWithOpts = getApp({ disableQuery: true });
+  t.context.requestWithOpts = getApp({
+    disableQuery: true,
+    ignoredPathGlobs: ['/beep']
+  });
 });
 
 test('should create a token', async (t) => {
@@ -94,16 +96,24 @@ test('should not respect the _csrf querystring given disableQuery=true', async (
   t.is(res2.text, 'Invalid CSRF token');
 });
 
+test('should ignore CSRF validation when ignoredPathGlobs matches', async (t) => {
+  await t.context.requestWithOpts.get('/');
+  await t.context.requestWithOpts.post('/beep');
+  const res = await t.context.requestWithOpts.post('/boop');
+  t.is(res.status, 403);
+  t.is(res.text, 'Invalid CSRF token');
+});
+
 function getApp(opts = {}) {
   const app = new Koa();
   app.keys = ['a', 'b'];
-  app.use(convert(session()));
+  app.use(session());
   app.use(bodyParser());
   app.use(new CSRF(opts));
   app.use((ctx, next) => {
     if (!['GET', 'POST'].includes(ctx.method)) return next();
     if (ctx.method === 'GET') {
-      ctx.body = ctx.csrf;
+      ctx.body = ctx.state._csrf;
       return;
     }