feat: csrf cookie support cookieOptions (#80)

Author: damujiangr

.github/workflows/nodejs.yml

@@ -35,7 +35,7 @@ jobs:
  node-version: ${{ matrix.node-version }}
 
  - name: Install Dependencies
- run: npm i -g npminstall && npminstall
+ run: npm i -g npminstall@5 && npminstall
 
  - name: Continuous Integration
  run: npm run ci

.gitignore

@@ -8,3 +8,4 @@ run/
 .vscode
 package-lock.json
 .travis.yml
+.idea

README.md

@@ -219,6 +219,7 @@ exports.security = {
  supportedRequests: [ // supported URL path and method, the package will match URL path regex patterns one by one until path matched. We recommend you set {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']} as the last rule in the list, which is also the default config.
  {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']}
  ],
+ cookieOptions: {}, // csrf token's cookie options
  },
 }
 ```

app/extend/context.js

@@ -105,17 +105,18 @@ module.exports = {
  debug('ensure csrf secret, exists: %s, rotate; %s', this[CSRF_SECRET], rotate);
  const secret = tokens.secretSync();
  this[NEW_CSRF_SECRET] = secret;
- let { useSession, sessionName, cookieDomain, cookieName } = this.app.config.security.csrf;
+ let { useSession, sessionName, cookieDomain, cookieName, cookieOptions = {} } = this.app.config.security.csrf;
 
  if (useSession) {
  this.session[sessionName] = secret;
  } else {
- const cookieOpts = {
+ const defaultOpts = {
  domain: cookieDomain && cookieDomain(this),
  signed: false,
  httpOnly: false,
  overwrite: true,
  };
+ const cookieOpts = utils.merge(defaultOpts, cookieOptions);
  // cookieName support array. so we can change csrf cookie name smoothly
  if (!Array.isArray(cookieName)) cookieName = [ cookieName ];
  for (const name of cookieName) {

test/csrf_cookieDomain.test.js

@@ -44,4 +44,24 @@ describe('test/csrf_cookieDomain.test.js', () => {
  .expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/; domain=\.string\.com/);
  });
  });
+
+ describe('cookieOptions = object', () => {
+ let app;
+ before(() => {
+ app = mm.app({
+ baseDir: 'apps/csrf-cookieOptions',
+ });
+ return app.ready();
+ });
+ after(() => app.close());
+
+ it('should auto set csrfToken with cookie options on GET request', () => {
+ return app.httpRequest()
+ .get('/hello')
+ .set('Host', 'abc.aaaa.ddd.string.com')
+ .expect('hello csrfToken cookieOptions')
+ .expect(200)
+ .expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/; httponly/);
+ });
+ });
 });

test/fixtures/apps/csrf-cookieOptions/app/controller/home.js

@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = app => {
+ return class Home extends app.Controller {
+ * index() {
+ this.ctx.body = 'hello csrfToken cookieOptions';
+ }
+ };
+};

test/fixtures/apps/csrf-cookieOptions/app/router.js

@@ -0,0 +1,5 @@
+'use strict';
+
+module.exports = app => {
+ app.get('/hello', 'home.index');
+};

test/fixtures/apps/csrf-cookieOptions/config/config.default.js

@@ -0,0 +1,11 @@
+'use strict';
+
+exports.keys = 'cookie options';
+
+exports.security = {
+ csrf: {
+ cookieOptions: {
+ httpOnly: true,
+ },
+ },
+};

test/fixtures/apps/csrf-cookieOptions/package.json

@@ -0,0 +1,3 @@
+{
+ "name": "csrf-cookieOptions"
+}