({
options,
cookieValue,
isPost,
bodyValue,
}: CreateCSRFTokenParams)
| 23 | * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf |
| 24 | */ |
| 25 | export function createCSRFToken({ |
| 26 | options, |
| 27 | cookieValue, |
| 28 | isPost, |
| 29 | bodyValue, |
| 30 | }: CreateCSRFTokenParams) { |
| 31 | if (cookieValue) { |
| 32 | const [csrfToken, csrfTokenHash] = cookieValue.split("|") |
| 33 | const expectedCsrfTokenHash = createHash("sha256") |
| 34 | .update(`${csrfToken}${options.secret}`) |
| 35 | .digest("hex") |
| 36 | if (csrfTokenHash === expectedCsrfTokenHash) { |
| 37 | // If hash matches then we trust the CSRF token value |
| 38 | // If this is a POST request and the CSRF Token in the POST request matches |
| 39 | // the cookie we have already verified is the one we have set, then the token is verified! |
| 40 | const csrfTokenVerified = isPost && csrfToken === bodyValue |
| 41 | |
| 42 | return { csrfTokenVerified, csrfToken } |
| 43 | } |
| 44 | } |
| 45 | |
| 46 | // New CSRF token |
| 47 | const csrfToken = randomBytes(32).toString("hex") |
| 48 | const csrfTokenHash = createHash("sha256") |
| 49 | .update(`${csrfToken}${options.secret}`) |
| 50 | .digest("hex") |
| 51 | const cookie = `${csrfToken}|${csrfTokenHash}` |
| 52 | |
| 53 | return { cookie, csrfToken } |
| 54 | } |
no outgoing calls
no test coverage detected
searching dependent graphs…