{"id":14969142,"url":"https://github.com/fastify/csrf","last_synced_at":"2025-04-09T13:06:31.462Z","repository":{"id":38071322,"uuid":"363932275","full_name":"fastify/csrf","owner":"fastify","description":"CSRF utilities for fastify","archived":false,"fork":false,"pushed_at":"2025-03-30T21:20:22.000Z","size":197,"stargazers_count":17,"open_issues_count":0,"forks_count":4,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-03-30T21:28:42.719Z","etag":null,"topics":["csrf","csrf-protection","fastify","fastify-fork","fastify-plugin"],"latest_commit_sha":null,"homepage":"https://npmjs.com/package/@fastify/csrf","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fastify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"fastify","open_collective":"fastify"}},"created_at":"2021-05-03T13:05:38.000Z","updated_at":"2025-03-30T21:20:24.000Z","dependencies_parsed_at":"2023-02-06T06:50:11.687Z","dependency_job_id":"46733eb5-13ea-41b2-8eaa-8c18127f78df","html_url":"https://github.com/fastify/csrf","commit_stats":{"total_commits":348,"total_committers":18,"mean_commits":"19.333333333333332","dds":"0.31034482758620685","last_synced_commit":"911e8405c81ec95ad2ce73c7ec2adb9752db3d7d"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fcsrf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fcsrf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fcsrf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fcsrf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fastify","download_url":"https://codeload.github.com/fastify/csrf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248045231,"owners_count":21038553,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csrf","csrf-protection","fastify","fastify-fork","fastify-plugin"],"created_at":"2024-09-24T13:41:12.061Z","updated_at":"2025-04-09T13:06:31.442Z","avatar_url":"https://github.com/fastify.png","language":"JavaScript","readme":"# CSRF\n\n[![CI](https://github.com/fastify/csrf/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/fastify/csrf/actions/workflows/ci.yml)\n[![NPM version](https://img.shields.io/npm/v/@fastify/csrf.svg?style=flat)](https://www.npmjs.com/package/@fastify/csrf)\n[![neostandard javascript style](https://img.shields.io/badge/code_style-neostandard-brightgreen?style=flat)](https://github.com/neostandard/neostandard)\n\nLogic behind CSRF token creation and verification.\n\nRead [Understanding-CSRF](https://github.com/pillarjs/understanding-csrf)\nfor more information on CSRF. Use this module to create custom CSRF middleware.\n\nLooking for a CSRF framework for your favorite framework that uses this\nmodule?\n\n  * Express/connect: [csurf](https://www.npmjs.com/package/csurf) or\n    [alt-xsrf](https://www.npmjs.com/package/alt-xsrf)\n  * Koa: [koa-csrf](https://www.npmjs.com/package/koa-csrf) or\n    [koa-atomic-session](https://www.npmjs.com/package/koa-atomic-session)\n\nThis module is a fork of https://github.com/pillarjs/csrf at f0d66c91ea4be6d30a03bd311ed9518951d9c3e4.\n\n### Install\n\n```sh\n$ npm i @fastify/csrf\n```\n\n### TypeScript\n\nThis module includes a [TypeScript](https://www.typescriptlang.org/)\ndeclaration file to enable auto-complete in compatible editors and type\ninformation for TypeScript projects.\n\n## API\n\n\u003c!-- eslint-disable no-unused-vars --\u003e\n\n```js\nconst Tokens = require('@fastify/csrf')\n```\n\n### new Tokens([options])\n\nCreate a new token generation/verification instance. The `options` argument is\noptional and will just use all defaults if missing.\n\n#### Options\n\nTokens accept these properties in the options object.\n\n##### algorithm\n\nThe hash-algorithm to generate the token. Defaults to `sha256`.\n\n##### saltLength\n\nThe length of the internal salt to use, in characters. Internally, the salt\nis a base 62 string. Defaults to `8` characters.\n\n##### secretLength\n\nThe length of the secret to generate, in bytes. Note that the secret is\npassed around base-64 encoded and that this length refers to the underlying\nbytes, not the length of the base-64 string. Defaults to `18` bytes.\n\n##### userInfo\n\nRequire user-specific information in `tokens.create()` and\n`tokens.verify()`.\n\n##### hmacKey\n\nWhen set, the `hmacKey` is used to generate the cryptographic HMAC hash instead of the default hash function.\n\n##### validity\n\nThe maximum validity of the token to generate, in milliseconds. Note that the epoch is\npassed around base-36 encoded. Defaults to `0` milliseconds (disabled).\n\n#### tokens.create(secret[, userInfo])\n\nCreate a new CSRF token attached to the given `secret`. The `secret` is a\nstring, typically generated from the `tokens.secret()` or `tokens.secretSync()`\nmethods. This token is what you should add into HTML `\u003cform\u003e` blocks and\nexpect the user's browser to provide back.\n\n\u003c!-- eslint-disable no-undef, no-unused-vars --\u003e\n\n```js\nconst secret = tokens.secretSync()\nconst token = tokens.create(secret)\n```\n\nThe `userInfo` parameter can be used to protect against cookie tossing\nattacks (and similar) when the application is deployed with untrusted\nsubdomains. It will encode some user-specific information within the\ntoken. It is used only if `userInfo: true` is passed to the\nconstructor.\n\n#### tokens.secret(callback)\n\nAsynchronously create a new `secret`, which is a string. The secret is to\nbe kept on the server, typically stored in a server-side session for the\nuser. The secret should be at least per user.\n\n\u003c!-- eslint-disable no-undef --\u003e\n\n```js\ntokens.secret(function (err, secret) {\n  if (err) throw err\n  // Do something with the secret\n})\n```\n\n#### tokens.secret()\n\nAsynchronously create a new `secret` and return a `Promise`. Please see\n`tokens.secret(callback)` documentation for full details.\n\n**Note**: To use promises in Node.js _prior to 0.12_, promises must be\n\"polyfilled\" using `global.Promise = require('bluebird')`.\n\n\u003c!-- eslint-disable no-undef --\u003e\n\n```js\ntokens.secret().then(function (secret) {\n  // Do something with the secret\n})\n```\n\n#### tokens.secretSync()\n\nA synchronous version of `tokens.secret(callback)`. Please see\n`tokens.secret(callback)` documentation for full details.\n\n\u003c!-- eslint-disable no-undef, no-unused-vars --\u003e\n\n```js\nconst secret = tokens.secretSync()\n```\n\n#### tokens.verify(secret, token[, userInfo])\n\nCheck whether a CSRF token is valid for the given `secret`, returning\na Boolean.\n\n\u003c!-- eslint-disable no-undef --\u003e\n\n```js\nif (!tokens.verify(secret, token)) {\n  throw new Error('invalid token!')\n}\n```\n\nThe `userInfo` parameter is required if `userInfo: true` was configured\nduring initialization. The user-specific information must match what was\npassed in `tokens.create()`.\n\n## License\n\nLicensed under [MIT](./LICENSE).\n","funding_links":["https://github.com/sponsors/fastify","https://opencollective.com/fastify"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastify%2Fcsrf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffastify%2Fcsrf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastify%2Fcsrf/lists"}