Share a practical Nodejs npm package: koa-csrf
This article will share with you a practical Nodejs npm package---koa-csrf. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.
koa-csrf is a koa middleware used to prevent csrf attacks.
Of course, I won’t go into details here about what CSRF is and how to prevent it. Those who are interested can read understanding-csrf. egg handles csrf solution.
First we look at a simple example:
const router = require('koa-router')();
const CSRF = require('koa-csrf');
const csrfMD = new CSRF({
invalidSessionSecretMessage: 'Invalid session secret',
invalidTokenMessage: 'Invalid CSRF token',
invalidTokenStatusCode: 403,
});
router
.get('/',csrfMD,async (ctx, next) => {
ctx.cookies.set('cid','1234', cookieSet);
// 下发csrf token
await ctx.render('index', {
title: 'EJS !',
csrf: ctx.csrf
});
})
.post('/post', csrfMD ,async (ctx, next) => {
console.log(ctx.method);
ctx.session.email = ctx.request.body.email;
ctx.session.name = ctx.request.body.name;
ctx.redirect('/');
})
module.exports = router;Simple understanding of its workflow:
Client request page:
- The server is the user The current session generates a secret value and stores it in the session;
- Generate a csrf token based on the secret and store it in ctx._csrf;
- Send the csrf token to the client
User write operations, such as when sending a post request:
- The server obtains the csrf token passed by the client;
- The server finds the secret value from the current session;
- The server uses the secret to verify the received csrf token;
koa-csrf
koa-csrf's token creation and verification logic They are all in this csrf package.
const csrf = require('csrf');
class CSRF {
constructor(opts = {}) {
// opts配置对象、并且有提供默认配置
// 允许自定义配置对象进行覆盖
this.opts = Object.assign(
{
// 使 koa 抛出的错误信息内容,默认值为:'Invalid CSRF token'。
// 它可以是一个接收 ctx 作为参数的函数,函数最后返回错误信息内容。
invalidTokenMessage: 'Invalid CSRF token',
// 验证失败时的响应状态码,默认值为:403(Forbidden)
// 跟 invalidTokenMessage 参数一样,它也会被传递给 ctx.throw,用于抛出错误和拒绝请求。
invalidTokenStatusCode: 403,
// 排除的请求方法,默认值为:['GET', 'HEAD', 'OPTIONS']。
excludedMethods: ['GET', 'HEAD', 'OPTIONS'],
// 是否禁止通过查询字符串传递 _csrf 校验 token,默认值为 false
// 如果校验 token 出现在 URL 中,则可能会通过 Referer 泄露,应尽量把 Token 放在表单中,把敏感操作由 GET 改为 POST。
disableQuery: false
},
opts
);
// 生成token generation/verification instance
this.tokens = csrf(opts);
// 早期很多这样的中间件写法、对接koa中间件
return this.middleware.bind(this);
}
// koa中间件
middleware(ctx, next) {
// __defineGetter__ API已经不推荐使用
// 在ctx上挂载csrf属性。
// 当读取ctx.csrf会执行该回调
ctx.__defineGetter__('csrf', () => {
// 如果已经存在直接返回、避免多次生成
if (ctx._csrf) {
return ctx._csrf;
}
// csrf依赖于koa session
if (!ctx.session) {
return null;
}
// 生成一个secret存储在ctx.session.secret
if (!ctx.session.secret) {
ctx.session.secret = this.tokens.secretSync();
}
// 根据上述的secret生成csrf toke存到ctx._csrf
// 一般非框架本身属性,都建议_xx表示私有
ctx._csrf = this.tokens.create(ctx.session.secret);
// 返回
return ctx._csrf;
});
// 挂栽ctx.response.csrf属性
ctx.response.__defineGetter__('csrf', () => ctx.csrf);
// 如果是请求方法黑名单直接不处理
if (this.opts.excludedMethods.indexOf(ctx.method) !== -1) {
return next();
}
if (!ctx.session.secret) {
ctx.session.secret = this.tokens.secretSync();
}
// 从ctx.request.body取出客户端传递过来的_csrf token
// 因此依赖于koa-bodyparser类库
const bodyToken =
ctx.request.body && typeof ctx.request.body._csrf === 'string'
? ctx.request.body._csrf
: false;
// 除了从body获取token
// 支持从ctx.query._csrf即get方法查询字符串
// 支持从请求头获取 'csrf-token'、'xsrf-token'、'x-csrf-token'、'x-xsrf-token'
const token =
bodyToken ||
(!this.opts.disableQuery && ctx.query && ctx.query._csrf) ||
ctx.get('csrf-token') ||
ctx.get('xsrf-token') ||
ctx.get('x-csrf-token') ||
ctx.get('x-xsrf-token');
// 如果获取失败、根据配置对象的信息、抛出异常
if (!token) {
return ctx.throw(
this.opts.invalidTokenStatusCode,
typeof this.opts.invalidTokenMessage === 'function'
? this.opts.invalidTokenMessage(ctx)
: this.opts.invalidTokenMessage
);
}
// 校验token失败
if (!this.tokens.verify(ctx.session.secret, token)) {
return ctx.throw(
this.opts.invalidTokenStatusCode,
typeof this.opts.invalidTokenMessage === 'function'
? this.opts.invalidTokenMessage(ctx)
: this.opts.invalidTokenMessage
);
}
// 校验成功
return next();
}
}
module.exports = CSRF;In the next issue, we will take a look at the csrf library, which handles more related logic.
Okay, that’s it for today, see you next time.
ps: If you are also interested in node, please follow my official account: xyz Programming Diary.
Related recommendations: "nodejs tutorial"
The above is the detailed content of Share a practical Nodejs npm package: koa-csrf. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
Detailed graphic explanation of the memory and GC of the Node V8 engine
Mar 29, 2023 pm 06:02 PM
This article will give you an in-depth understanding of the memory and garbage collector (GC) of the NodeJS V8 engine. I hope it will be helpful to you!
An article about memory control in Node
Apr 26, 2023 pm 05:37 PM
The Node service built based on non-blocking and event-driven has the advantage of low memory consumption and is very suitable for handling massive network requests. Under the premise of massive requests, issues related to "memory control" need to be considered. 1. V8’s garbage collection mechanism and memory limitations Js is controlled by the garbage collection machine
Let's talk about how to choose the best Node.js Docker image?
Dec 13, 2022 pm 08:00 PM
Choosing a Docker image for Node may seem like a trivial matter, but the size and potential vulnerabilities of the image can have a significant impact on your CI/CD process and security. So how do we choose the best Node.js Docker image?
Let's talk in depth about the File module in Node
Apr 24, 2023 pm 05:49 PM
The file module is an encapsulation of underlying file operations, such as file reading/writing/opening/closing/delete adding, etc. The biggest feature of the file module is that all methods provide two versions of **synchronous** and **asynchronous**, with Methods with the sync suffix are all synchronization methods, and those without are all heterogeneous methods.
Node.js 19 is officially released, let's talk about its 6 major features!
Nov 16, 2022 pm 08:34 PM
Node 19 has been officially released. This article will give you a detailed explanation of the 6 major features of Node.js 19. I hope it will be helpful to you!
Let's talk about the GC (garbage collection) mechanism in Node.js
Nov 29, 2022 pm 08:44 PM
How does Node.js do GC (garbage collection)? The following article will take you through it.
Let's talk about the event loop in Node
Apr 11, 2023 pm 07:08 PM
The event loop is a fundamental part of Node.js and enables asynchronous programming by ensuring that the main thread is not blocked. Understanding the event loop is crucial to building efficient applications. The following article will give you an in-depth understanding of the event loop in Node. I hope it will be helpful to you!
What should I do if node cannot use npm command?
Feb 08, 2023 am 10:09 AM
The reason why node cannot use the npm command is because the environment variables are not configured correctly. The solution is: 1. Open "System Properties"; 2. Find "Environment Variables" -> "System Variables", and then edit the environment variables; 3. Find the location of nodejs folder; 4. Click "OK".
