### Install @fastify/csrf Source: https://github.com/fastify/csrf/blob/main/README.md Install the CSRF module using npm. ```sh npm i @fastify/csrf ``` -------------------------------- ### Initialize CSRF Tokens Source: https://github.com/fastify/csrf/blob/main/README.md Import and create a new instance of the Tokens class. Options can be provided to customize token generation. ```js const Tokens = require('@fastify/csrf') ``` -------------------------------- ### new Tokens([options]) Source: https://github.com/fastify/csrf/blob/main/README.md Creates a new instance for CSRF token generation and verification. Options can be provided to customize the token generation process. ```APIDOC ## new Tokens([options]) ### Description Create a new token generation/verification instance. The `options` argument is optional and will just use all defaults if missing. ### Options Tokens accept these properties in the options object. ##### algorithm The hash-algorithm to generate the token. Defaults to `sha256`. ##### saltLength The length of the internal salt to use, in characters. Internally, the salt is a base 62 string. Defaults to `8` characters. ##### secretLength The length of the secret to generate, in bytes. Note that the secret is passed around base-64 encoded and that this length refers to the underlying bytes, not the length of the base-64 string. Defaults to `18` bytes. ##### userInfo Require user-specific information in `tokens.create()` and `tokens.verify()`. ##### hmacKey When set, the `hmacKey` is used to generate the cryptographic HMAC hash instead of the default hash function. ##### validity The maximum validity of the token to generate, in milliseconds. Note that the epoch is passed around base-36 encoded. Defaults to `0` milliseconds (disabled). ``` -------------------------------- ### tokens.secretSync() Source: https://github.com/fastify/csrf/blob/main/README.md Synchronously generates a new secret string. Use this when asynchronous operations are not desired or possible. ```APIDOC ## tokens.secretSync() ### Description A synchronous version of `tokens.secret(callback)`. Please see `tokens.secret(callback)` documentation for full details. ### Request Example ```js const secret = tokens.secretSync() ``` ``` -------------------------------- ### Generate Secret Asynchronously with Promises Source: https://github.com/fastify/csrf/blob/main/README.md Asynchronously generate a secret string using Promises. This is an alternative to the callback-based approach and requires a Promise polyfill for Node.js versions prior to 0.12. ```js tokens.secret().then(function (secret) { // Do something with the secret }) ``` -------------------------------- ### tokens.create(secret[, userInfo]) Source: https://github.com/fastify/csrf/blob/main/README.md Generates a CSRF token associated with a given secret. This token should be included in forms and sent back by the client. ```APIDOC ## tokens.create(secret[, userInfo]) ### Description Create a new CSRF token attached to the given `secret`. The `secret` is a string, typically generated from the `tokens.secret()` or `tokens.secretSync()` methods. This token is what you should add into HTML `
` blocks and expect the user's browser to provide back. The `userInfo` parameter can be used to protect against cookie tossing attacks (and similar) when the application is deployed with untrusted subdomains. It will encode some user-specific information within the token. It is used only if `userInfo: true` is passed to the constructor. ### Request Example ```js const secret = tokens.secretSync() const token = tokens.create(secret) ``` ``` -------------------------------- ### Generate Secret Synchronously Source: https://github.com/fastify/csrf/blob/main/README.md Synchronously generate a secret string. This is a convenient option when asynchronous operations are not necessary. ```js const secret = tokens.secretSync() ``` -------------------------------- ### tokens.verify(secret, token[, userInfo]) Source: https://github.com/fastify/csrf/blob/main/README.md Validates a given CSRF token against a secret, returning a boolean indicating validity. The `userInfo` parameter is required if it was configured during initialization. ```APIDOC ## tokens.verify(secret, token[, userInfo]) ### Description Check whether a CSRF token is valid for the given `secret`, returning a Boolean. The `userInfo` parameter is required if `userInfo: true` was configured during initialization. The user-specific information must match what was passed in `tokens.create()`. ### Request Example ```js if (!tokens.verify(secret, token)) { throw new Error('invalid token!') } ``` ``` -------------------------------- ### tokens.secret() Source: https://github.com/fastify/csrf/blob/main/README.md Asynchronously generates a new secret string and returns a Promise. This is an alternative to the callback-based `tokens.secret(callback)`. ```APIDOC ## tokens.secret() ### Description Asynchronously create a new `secret` and return a `Promise`. Please see `tokens.secret(callback)` documentation for full details. **Note**: To use promises in Node.js _prior to 0.12_, promises must be "polyfilled" using `global.Promise = require('bluebird')`. ### Request Example ```js tokens.secret().then(function (secret) { // Do something with the secret }) ``` ``` -------------------------------- ### tokens.secret(callback) Source: https://github.com/fastify/csrf/blob/main/README.md Asynchronously generates a new secret string. This secret should be stored server-side, typically in a user's session. ```APIDOC ## tokens.secret(callback) ### Description Asynchronously create a new `secret`, which is a string. The secret is to be kept on the server, typically stored in a server-side session for the user. The secret should be at least per user. ### Request Example ```js tokens.secret(function (err, secret) { if (err) throw err // Do something with the secret }) ``` ``` -------------------------------- ### Generate Secret Asynchronously Source: https://github.com/fastify/csrf/blob/main/README.md Asynchronously generate a secret string. This secret should be stored server-side, typically in a user's session. Handles errors via a callback. ```js tokens.secret(function (err, secret) { if (err) throw err // Do something with the secret }) ``` -------------------------------- ### Generate CSRF Token Source: https://github.com/fastify/csrf/blob/main/README.md Generate a CSRF token using a secret. The secret is typically obtained from `tokens.secretSync()` or `tokens.secret()`. This token should be included in HTML forms. ```js const secret = tokens.secretSync() const token = tokens.create(secret) ``` -------------------------------- ### Verify CSRF Token Source: https://github.com/fastify/csrf/blob/main/README.md Verify if a given CSRF token is valid for the provided secret. Returns a boolean indicating validity. ```js if (!tokens.verify(secret, token)) { throw new Error('invalid token!') } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.