MCPcopy
hub / github.com/nextauthjs/next-auth / createCSRFToken

Function createCSRFToken

src/core/lib/csrf-token.ts:25–54  ·  view source on GitHub ↗
({
  options,
  cookieValue,
  isPost,
  bodyValue,
}: CreateCSRFTokenParams)

Source from the content-addressed store, hash-verified

23 * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
24 */
25export function createCSRFToken({
26 options,
27 cookieValue,
28 isPost,
29 bodyValue,
30}: CreateCSRFTokenParams) {
31 if (cookieValue) {
32 const [csrfToken, csrfTokenHash] = cookieValue.split("|")
33 const expectedCsrfTokenHash = createHash("sha256")
34 .update(`${csrfToken}${options.secret}`)
35 .digest("hex")
36 if (csrfTokenHash === expectedCsrfTokenHash) {
37 // If hash matches then we trust the CSRF token value
38 // If this is a POST request and the CSRF Token in the POST request matches
39 // the cookie we have already verified is the one we have set, then the token is verified!
40 const csrfTokenVerified = isPost && csrfToken === bodyValue
41
42 return { csrfTokenVerified, csrfToken }
43 }
44 }
45
46 // New CSRF token
47 const csrfToken = randomBytes(32).toString("hex")
48 const csrfTokenHash = createHash("sha256")
49 .update(`${csrfToken}${options.secret}`)
50 .digest("hex")
51 const cookie = `${csrfToken}|${csrfTokenHash}`
52
53 return { cookie, csrfToken }
54}

Callers 1

initFunction · 0.90

Calls

no outgoing calls

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…