csrf docs

middleware-csrf.html

@@ -0,0 +1,140 @@
+<html>
+  <head>
+    <title>
+
+        Connect - csrf
+
+    </title>
+    <link rel='stylesheet' href='main.css' />
+  </head>
+  <body>
+    <div id="content">
+
+        <h1>csrf</h1>
+        <span class="filename">lib/middleware/csrf.js</span>
+
+
+
+
+
+
+
+
+          <div class="comment">
+
+            <p class="description"><p>CRSF protection middleware.</p></p>
+
+
+              <div class="body">
+                <p>By default this middleware generates a token named &quot;_csrf&quot;
+which should be added to requests which mutate
+state, within a hidden form field, query-string etc. This
+token is validated against the visitor&#39;s <code>req.session._csrf</code>
+property which is re-generated per request.</p>
+
+<p>The default <code>value</code> function checks <code>req.body</code> generated
+by the <code>bodyParser()</code> middleware, and <code>req.query</code> generated
+by <code>query()</code>.</p>
+
+<p>This middleware requires session support, thus should be added
+somewhere <em>below</em> <code>session()</code> and <code>cookieParser()</code>.</p>
+
+<h2>Examples</h2>
+
+<pre><code> var form = &#39;\n\
+   &lt;form action=&quot;/&quot; method=&quot;post&quot;&gt;\n\
+     &lt;input type=&quot;hidden&quot; name=&quot;_csrf&quot; value=&quot;{token}&quot; /&gt;\n\
+     &lt;input type=&quot;text&quot; name=&quot;user[name]&quot; value=&quot;{user}&quot; /&gt;\n\
+     &lt;input type=&quot;password&quot; name=&quot;user[pass]&quot; /&gt;\n\
+     &lt;input type=&quot;submit&quot; value=&quot;Login&quot; /&gt;\n\
+   &lt;/form&gt;\n\
+ &#39;; 
+
+ connect(
+     connect.cookieParser()
+   , connect.session({ secret: &#39;keyboard cat&#39; })
+   , connect.bodyParser()
+   , connect.csrf()
+
+   , function(req, res, next){
+     if (&#39;POST&#39; != req.method) return next();
+     req.session.user = req.body.user;
+     next();
+   }
+
+   , function(req, res){
+     res.setHeader(&#39;Content-Type&#39;, &#39;text/html&#39;);
+     var body = form
+       .replace(&#39;{token}&#39;, req.session._csrf)
+       .replace(&#39;{user}&#39;, req.session.user &amp;&amp; req.session.user.name || &#39;&#39;);
+     res.end(body);
+   }
+ ).listen(3000);</code></pre>
+
+<h2>Options</h2>
+
+<ul><li><code>value</code> a function accepting the request, returning the token </li></ul>
+              </div>
+
+
+
+              <ul class="tags">
+
+
+
+
+
+
+
+
+                  <li class="param"><em>param</em> <span class="types">Object</span> <span class="name">options</span> <span class="description"></span></li>
+
+
+
+
+
+                  <li class="api"><em>api</em> <span class="visibility">public</span></li>
+
+
+
+
+
+
+              </ul>
+
+<!--            
+              <pre class="code">
+                <code>
+module.exports = function csrf(options) {
+  var options = options || {}
+    , value = options.value || defaultValue;
+
+  return function(req, res, next){
+    // generate CSRF token
+    var token = req.session._csrf;
+    req.session._csrf = utils.uid(24);
+
+    // ignore GET (for now)
+    if ('GET' == req.method) return next();
+
+    // determine value
+    var val = value(req);
+
+    // check
+    if (val != token) return utils.forbidden(res);
+    
+    next();
+  }
+};
+                </code>
+              </pre>
+             -->
+
+          </div>
+
+
+
+
+    </div>
+  </body>
+</html>