Package Exports
- koa-csrf
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (koa-csrf) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Koa CSRF 
CSRF tokens for koa.
Install
npm install koa-csrfAPI
To install, do:
require('koa-csrf')(app, options)Options
Since people seem to really care about the entropy of CSRF tokens, the hashing algorithm, etc. You can override these functions:
length- Secret key length, default15.secret-(length) -> [string]a function that creates a secret stored asthis.session.secretsalt-(length) -> [string]a function that creates a salt.tokenize-(secret, salt) -> salt;[string]a function that creates the CSRF token.
this.csrf
Lazily creates a CSRF token. CSRF tokens change on every request.
app.use(function* () {
this.render({
csrf: this.csrf
})
})this.assertCSRF([body])
Check the CSRF token of a request with an optional body. Will throw if the CSRF token does not exist or is not valid.
app.use(function* () {
var body = yield parse(this) // co-body or something
try {
this.assertCSRF(body)
} catch (err) {
this.status = 403
this.body = {
message: 'This CSRF token is invalid!'
}
return
}
})Middleware
You can use this module as a koa middleware, it is similar to connect-csrf.
in most situation, you only need:
var koa = require('koa')
var csrf = require('koa-csrf')
var session = require('koa-session')
var app = koa()
app.keys = ['session secret']
app.use(session())
app.use(csrf())
app.use(function* () {
if (this.method === 'GET') {
this.body = this.csrf
} else if (this.method === 'POST') {
this.status = 204
}
})All the options work fine in middleware mode.
app.use(csrf({
length: 20
}))You can redefinition csrf handle method by pass opts.middleware,
the default handler is csrf.middleware.