public
Created — forked from drapeko/express_csrf

nodejs express smart csrf pseudo code

  • Download Gist
express_csrf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
User's session has a fixed size pool of tokens. New token is generated every X minutes and becomes invalid every Y minutes. You always return the most recent one and check against all tokens you have.
 
token_valid = 180 min
create_new_token_every = 60 min
 
size = 3
pool = [] // your session pool
current_version = '1'
 
getToken = function() {
removeOld()
 
recent_token_rec = pool.getFirst()
if recent_token_rec && recent_token_rec.createdAt > currentTime - create_new_token_every
return recent_token_rec.token
 
if pool.size >= size)
pool.removeLast()
 
new_rec = {
version: current_version,
createdAt: new Date(),
token: some_algo()
}
pool.addFirst(new_rec)
 
return new_rec.token
}
 
removeOld = function() {
for rec in pool
if rec.createdAt + token_valid < now || rec.version != current_version
pool.remove(rec)
}
 
check = function(token) {
removeOld()
return pool.hasRec(token)
}

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.