yesbabyyes / express-csrf Goto Github PK
View Code? Open in Web Editor NEWCross-site request forgery protection for Express Node.js framework
Cross-site request forgery protection for Express Node.js framework
I think it would be useful for others to read this post about CSRF and AJAX: http://erlend.oftedal.no/blog/?blogid=118
This kind of projection would have to be added manually depending on the structure of the application, but it would be helpful to point people in the right direction in the readme for this module. Also, it would be nice to support CSRF tokens in the headers.
Please, push last changes to npm.
Thanks
When installing it just as the instructions said, I got the following error:
500 TypeError: Cannot read property 'lastAccess' of undefined
at HTTPServer. (/[projname]/node_modules/express-csrf/lib/index.js:21:83)
blah blah blah.
It appears that the library expects request session object to have a lastAccess property, but it doesn't exist. Looking at the request object, I can't seem to find any substitute.
Here are the modules I'm using:
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
├── [email protected] extraneous
├── [email protected]
├─┬ [email protected] extraneous
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
└── [email protected] extraneous
Error:
500 TypeError: Cannot use 'in' operator to search for 'csrf' in undefined
Any ideas about compatibility with connect-form?
was just looking at the code after i recommended this to someone in #node.js, you next(err) after responding which is generally bad practice with connect middleware since the error handling middleware may decide (and usually do) respond
The way you generate the token is just wrong from an information theory perspective. What you want is a random token that would be very hard to guess. You instead generate a token which seems random but is actually quite simple to guess. You use the current time and the last access time to generate the hash. The times are in milliseconds, and are usually the same exact time! (or differing in a few milliseconds) If the user has logged in within the past 10 minutes, that means there are only 1000_60_10=600,000 combinations to try to guess the csrf token. This isn't much these days, any attacker could do it. And if the user has logged in within the past minute, it's only 60,000 guesses. This is much lower than the 2^128 guesses implied by having a 128-bit token.
I would fix it, but connect (which express uses) has its own CORRECT implementation of csrf here: http://senchalabs.github.com/connect/middleware-csrf.html
I think you should direct people to connect's csrf implementation as it's already included in express.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.