Created
November 18, 2011 12:19
-
-
Save nowelium/1376306 to your computer and use it in GitHub Desktop.
yet-another-express-csrf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const crypto = require('crypto'); | |
const connect = require('connect'); | |
exports.token = function(request, response){ | |
if(request.session){ | |
var lastAccess = request.session.lastAccess; | |
var csrf = crypto.createHash('md5').update('' + Date.now() + lastAccess).digest('hex'); | |
return request.session['csrf'] = csrf; | |
} | |
return null; | |
}; | |
exports.check = function(options){ | |
return connect.createServer(function(request, response, next){ | |
if(/POST/i.test(request.method)){ | |
if(request.body){ | |
if(!('csrf' in request.body)){ | |
// no check csrf | |
return next(); | |
} | |
var requestCSRF = request.body['csrf']; | |
var sessionCSRF = request.session['csrf']; | |
if(requestCSRF === sessionCSRF){ | |
// valid csrf | |
return next(); | |
} | |
return next(new Error('Cross-size request forgery attempt discovered')); | |
} | |
return next(); | |
} | |
return next(); | |
}); | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment