CSRF Tokens
Logic behind CSRF token creation and verification. Read Understanding-CSRF for more information on CSRF. Use this module to create custom CSRF middleware and what not.
API
var tokens = options var secret = tokensvar token = tokensvar valid = tokens
Options:
secretLength: 24
- the byte length of the secret keysaltLength: 8
- the string length of the salttokensize: (secret, salt) => token
- a custom token creation function
tokens.secret([cb])
Asynchronously create a new secret
of length secretLength
.
If cb
is not defined, a promise is returned.
You don't have to use this.
tokens tokens
var secret = tokens.secretSync()
Synchronous version of tokens.secret()
var token = tokens.token(secret)
Create a CSRF token based on a secret
.
This is the token you pass to clients.
var valid = tokens.verify(secret, token)
Check whether a CSRF token is valid based on a secret
.
If it's not valid, you should probably throw a 403
error.