Hello again, setting the cookie.signed</co

Signed cookies are not supported about csrf-protection HOT 5 CLOSED

fastify commented on May 16, 2024

Signed cookies are not supported

from csrf-protection.

Comments (5)

jurca commented on May 16, 2024 1

Quite busy now, I'll try to get to it on Sunday evening. Thank you for your patience.

from csrf-protection.

Tarang11 commented on May 16, 2024

Can you please give an example.

from csrf-protection.

jurca commented on May 16, 2024

Here's an example code that results in HTTP 500 'invalid csrf token' error when the form is submitted:

const fastify = require('fastify')()
const fastifyCookie = require('fastify-cookie')
const fastifyFormBody = require('fastify-formbody')
const fastifyCSRF = require('fastify-csrf')

fastify.register(fastifyCookie, {
  secret: 'my-secret',
})
fastify.register(fastifyFormBody)
fastify.register(fastifyCSRF, {
  cookie: {
    signed: true,
  },
})

fastify.get('/', (request, reply) => {
  reply.type('text/html; charset=utf-8')
  reply.send(`
    <!DOCTYPE html>
    <html>
      <head><meta charset="UTF-8"><title>Signed cookie test</title></head>
      <body>
        <form action="/" method="post">
          <input type="hidden" name="_csrf" value="${request.csrfToken()}">
          <button>Test signed CSRF cookie</button>
        </form>
      </body>
    </html>
  `)
})

fastify.post('/', (request, reply) => {
  reply.type('text/plain; charset=UTF-8').send('CSRF OK')
})

fastify.listen(3000)

Removing the signed: true, line, making the CSRF cookie not signed, resolves the issue.

Now, I know it's not really needed security-wise to have the cookie signed, however, it would be nice to either support it, or drop the flag with a warning to the console.

from csrf-protection.

Tarang11 commented on May 16, 2024

Confirmed. Pls submit PR

from csrf-protection.

jurca commented on May 16, 2024

Sorry for the delay, the PR is ready.

from csrf-protection.

Recommend Projects