Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore/update with v3 changes #73

Merged
merged 13 commits into from
Sep 21, 2024
Merged

Chore/update with v3 changes #73

merged 13 commits into from
Sep 21, 2024

Conversation

psibean
Copy link
Contributor

@psibean psibean commented Sep 21, 2024

Brings v3 upstream changes

psibean added 11 commits May 15, 2024 23:31
@psibean
fix: ensure types are correctly exported
a07ff81
@psibean
chore(release): 3.0.5
e27da6a
@psibean
chore(release): 3.0.6
48f6c56
@psibean
build: build and test against versioned branches
a1864c9
@psibean
chore: remove unnecessary default export
2c858f5
@psibean
feat: support optional stateless association of token with session
710d2f6 
Added the getSessionIdentifier parameter to the csrf-csrf configuration.
By providing the getSessionIdentifier callback, generated tokens will
only be valid for the original session identifier they were generated
for.

For example: (req) => req.session.id

The token will now be signed with the session id included, this means a
generated CSRF token will only be valid for the session it was generated
for. This also means that if you rotate your sessions (which you should)
you will also need to generate a new CSRF token for the session after
rotating it.
@psibean
chore: bump supported security version
6af54bd
@psibean
chore(release): 3.0.7
4737f66
@psibean
refactor: simplify generateToken parameters
c25fd2f 
BREAKING CHANGE: Parameter update to generateToken.

The third and fourth parameters for generateToken have been combined into an object.
The third parameter is keyed by overwrite, the fourth parameter is keyed by validateOnReuse.

Any calls to generateToken (also via req.csrfToken) will need to be updated accordingly:

generateToken(req, res) > generateToken(req, res) // no change
generateToken(req, res, true) > generateToken(req, res, { overwrite: true });
generateToken(req, res, true, false) > generateToken(req, res, { overwrite: true, validateOnReuse: false })

req.csrfToken(true) > req.csrfToken({ overwrite: true });
req.csrfToken(true, true) > req.csrfToken({ overwrite: true, validateOnReuse: true });
@psibean
feat: expose per token cookie settings (#60)
456b317 
When calling `generateToken` the third options object parameter
can now take a cookieOptions property to override any of the initial
cookieOptions that were provided.

This commit also removes the forced httpOnly true option.

E.g. generateToken(req, res, { cookieOptions })
@psibean
fix: ensure types are correctly exported
1941dea
@psibean psibean self-assigned this Sep 21, 2024
@psibean psibean merged commit 3a016c5 into main Sep 21, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@psibean psibean

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@psibean