Provides a modified fetch that is automatically secure against CSRF attacks for non-idempotent HTTP methods.
This enhancer handles csrf protection by adding a server side middleware that checks for a valid csrf token on requests for non-idempotent HTTP methods (e.g. POST).
yarn add fusion-plugin-csrf-protectionimport {createPlugin} from 'fusion-core';
import {FetchToken} from 'fusion-tokens';
const pluginUsingFetch = createPlugin({
deps: {
fetch: FetchToken,
},
provides: ({fetch}) => {
return {
getUser: () => {
return fetch('/get-user');
}
}
},
});
// src/main.js
import React from 'react';
import {FetchToken} from 'fusion-tokens';
import App from 'fusion-react';
import CsrfProtectionEnhancer, {
CsrfIgnoreRoutesToken,
} from 'fusion-plugin-csrf-protection';
import fetch from unfetch;
export default () => {
const app = new App(<div></div>);
app.register(FetchToken, fetch);
app.enhance(FetchToken, CsrfProtectionEnhancer);
// optional
__NODE__ && app.register(CsrfIgnoreRoutesToken, []);
}
import CsrfProtection from 'fusion-plugin-csrf-protection';The csrf protection plugin. Typically, it should be registered to the FetchToken. Provides the fetch api and
a server side middleware for validating csrf requests.
import {FetchToken} from 'fusion-tokens';The canonical token for an implementation of fetch. This plugin is generally registered on that token.
For more, see the fusion-tokens repo.
import {CsrfIgnoreRoutesToken} from 'fusion-plugin-csrf-protection';A list of routes to ignore csrf protection on. This is rarely needed and should be used with caution.
Types
type CsrfIgnoreRoutes = Array<string>;Default value
Empty array []
const response: Response = fetch('/test', {
method: 'POST',
})
fetch: (url: string, options: Object) => Promise - Client-only. A decorated fetch function that automatically does pre-flight requests for CSRF tokens if required.
See https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API for more on the fetch api.
fusion-plugin-csrf-protection's People
Contributors
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Watchers
Forkers
kevingrandon ganemone rtsao nadiia lhorie derekjuber akre54 mlmorg uberopensourcebot angus-c albertywu kahwee rajeshsegu salamagdfusion-plugin-csrf-protection's Issues
Migrate to new fusion-tokens api
Remove csrf endpoint once clients have time to upgrade
After simplifying the plugin we can now remove the csrf endpoint. However, we should wait some time for clients to have time to upgrade.
Migrate fusion-plugin-csrf-protection to DI
Add LICENSE
Clean up API
Add Token dependencies to readme
Problem/Rationale
Documentation regarding Fusion API is out of date given recent changes to leverage new Dependency Injection architecture.
Solution/Change/Deliverable
Update documentation
Add initial implementation
Add Token dependencies to readme
Problem/Rationale
Documentation regarding Fusion API (core; plugins; cli; etc.) is out of date given recent changes to leverage new Dependency Injection architecture.
Solution/Change/Deliverable
Update documentation
Dependency deprecation warning: generic-session (npm)
On registry https://registry.yarnpkg.com/, the "latest" version (v0.1.2) of dependency generic-session has the following deprecation notice:
no longer maintained
Marking the latest version of an npm package as deprecated results in the entire package being considered deprecated, so contact the package author you think this is a mistake.
Affected package file(s): package.json
If you don't care about this, you can close this issue and not be warned about generic-session's deprecation again. If you would like to completely disable all future deprecation warnings then add the following to your config:
"suppressNotifications": ["deprecationWarningIssues"]
Allow CSRF forms
Type of issue
Feature request
Description
It would be nice for form submits to be able to leverage CSRF protection. This doesn't seem included in the library as is right now.
Current behavior
Can only use CSRF for fetch calls
Expected behavior
Ability to add csrf-token field to forms
Update dependencies
Use Buildkite for CI
Use `ctx.throw` to handle csrf errors
Expose {ignore, fetch} as instance methods rather than static
I don't think there is any reason to expose them as static rather than instance methods. Exposing as instance methods makes the api more consistent with other plugins we have.
Don't include url prefix if it's already included
Fix flow types
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.