Skip to content

Commit

Permalink
feat: CSRF cookies allow the use of signatures.
Browse files Browse the repository at this point in the history
  • Loading branch information
sullayang(杨金伟) committed Jan 4, 2024
1 parent 7777aa8 commit 8b0f33e
Show file tree
Hide file tree
Showing 7 changed files with 54 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app/extend/context.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,15 +82,15 @@ module.exports = {
*/
get [CSRF_SECRET]() {
if (this[_CSRF_SECRET]) return this[_CSRF_SECRET];
let { useSession, cookieName, sessionName } = this.app.config.security.csrf;
let { useSession, cookieName, sessionName, cookieOptions = {} } = this.app.config.security.csrf;
// get secret from session or cookie
if (useSession) {
this[_CSRF_SECRET] = this.session[sessionName] || '';
} else {
// cookieName support array. so we can change csrf cookie name smoothly
if (!Array.isArray(cookieName)) cookieName = [ cookieName ];
for (const name of cookieName) {
this[_CSRF_SECRET] = this.cookies.get(name, { signed: false }) || '';
this[_CSRF_SECRET] = this.cookies.get(name, { signed: cookieOptions.signed || false }) || '';
if (this[_CSRF_SECRET]) break;
}
}
Expand Down
4 changes: 4 additions & 0 deletions config/config.default.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,10 @@ module.exports = () => {
refererWhiteList: [
// 'eggjs.org'
],
// csrf token's cookie options
cookieOptions: {
signed: false,
},
},

xframe: {
Expand Down
20 changes: 20 additions & 0 deletions test/csrf_cookieDomain.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,4 +64,24 @@ describe('test/csrf_cookieDomain.test.js', () => {
.expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/; httponly/);
});
});

describe('cookieOptions use signed', () => {
let app;
before(() => {
app = mm.app({
baseDir: 'apps/csrf-cookieOptions-signed',
});
return app.ready();
});
after(() => app.close());

it('should auto set csrfToken and csrfToken.sig with cookie options on GET request', () => {
return app.httpRequest()
.get('/hello')
.set('Host', 'abc.aaaa.ddd.string.com')
.expect('hello csrfToken cookieOptions signed')
.expect(200)
.expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/,csrfToken\.sig=[\w\-]+; path=\//);
});
});
});
9 changes: 9 additions & 0 deletions test/fixtures/apps/csrf-cookieOptions-signed/app/controller/home.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
'use strict';

module.exports = app => {
return class Home extends app.Controller {
* index() {
this.ctx.body = 'hello csrfToken cookieOptions signed';
}
};
};
5 changes: 5 additions & 0 deletions test/fixtures/apps/csrf-cookieOptions-signed/app/router.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
'use strict';

module.exports = app => {
app.get('/hello', 'home.index');
};
11 changes: 11 additions & 0 deletions test/fixtures/apps/csrf-cookieOptions-signed/config/config.default.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
'use strict';

exports.keys = 'cookie options';

exports.security = {
csrf: {
cookieOptions: {
signed: true
},
},
};
3 changes: 3 additions & 0 deletions test/fixtures/apps/csrf-cookieOptions-signed/package.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"name": "csrf-cookieOptions-signed"
}

0 comments on commit 8b0f33e

Please sign in to comment.