npm - csrf-shield - Versions diffs - 1.0.1 → 1.0.3 - Mend

csrf-shield 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/app.js CHANGED Viewed

@@ -1,70 +1,92 @@
-const CryptoJS = require('crypto-js');
+const crypto = require('crypto');
 module.exports = function(options = {}) {
-    const {
-        secret = CryptoJS.lib.WordArray.random(32).toString(),
-        timeout = 1000 * 60 * 10,
-    } = options;
+    // Buffer işlemleri string işlemlerinden hızlıdır, secret'ı hazırda tutuyoruz.
+    const secretKey = options.secret ? Buffer.from(options.secret) : crypto.randomBytes(32);
+    const timeout = options.timeout || 1000 * 60 * 10;
+    const ALGORITHM = 'sha1'; // Hız için SHA1 (CSRF için yeterince güvenli). Daha yüksek güvenlik için 'sha256' yapın.
-    function generateToken(ip, userAgent) {
-        const timestamp = Date.now();
-        const data = JSON.stringify({ ip, userAgent, timestamp });
-        return CryptoJS.AES.encrypt(data, secret).toString();
-    }
-    function parseToken(token) {
-        try {
-            const bytes = CryptoJS.AES.decrypt(token, secret);
-            const decryptedData = bytes.toString(CryptoJS.enc.Utf8);
-            return JSON.parse(decryptedData);
-        } catch (error) {
-            throw new Error('Invalid token');
-        }
-    }
-    function verifyToken(token, ip, userAgent) {
-        try {
-            const { ip: tokenIp, userAgent: tokenUserAgent, timestamp } = parseToken(token);
-            if (tokenIp !== ip || tokenUserAgent !== userAgent) {
-                return { valid: false, reason: 'Token mismatch' };
-            }
-            if (Date.now() - timestamp > timeout) {
-                return { valid: false, reason: 'Token expired' };
-            }
-            return { valid: true };
-        } catch (error) {
-            return { valid: false, reason: error.message };
-        }
+    // IP'yi en hızlı şekilde alma fonksiyonu
+    // Proxy güvenliği için 'trust proxy' ayarının express'te yapılı olduğunu varsayıyoruz.
+    function getIP(req) {
+        return req.headers['cf-connecting-ip'] || req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket.remoteAddress ||  '';
     }
     return {
         middleware: function(req, res, next) {
+            // MEMOIZATION: Token sadece ilk çağrıldığında hesaplanır, sonra cache'den gelir.
+            let _cachedToken = null;
             req.csrfToken = function() {
-                const ip = req.headers['cf-connecting-ip'] || req.headers['x-forwarded-for'] || req.ip;
-                const userAgent = req.headers['user-agent'];
-                return generateToken(ip, userAgent);
+                if (_cachedToken) return _cachedToken;
+                const timestamp = Date.now();
+                // User-Agent ve IP'yi al
+                const ua = req.headers['user-agent'] || '';
+                const ip = getIP(req);
+                // Tek seferlik string birleştirme (V8 motoru bunu çok iyi optimize eder)
+                // Format: timestamp|ip|ua
+                const payload = timestamp + '|' + ip + '|' + ua;
+                // C++ Binding'e tek çağrı (Overhead'i azaltır)
+                const signature = crypto.createHmac(ALGORITHM, secretKey)
+                                        .update(payload)
+                                        .digest('base64');
+                // Token: timestamp:signature
+                _cachedToken = timestamp + ':' + signature;
+                return _cachedToken;
             };
             next();
         },
         verifyToken: function() {
             return function(req, res, next) {
-                const token = req.body._csrf || req.query._csrf || req.headers['x-csrf-token'];
+                // Token'ı en olası lokasyonlardan sırayla dene
+                const token = req.body?._csrf || req.headers['x-csrf-token'] || req.query?._csrf;
                 if (!token) {
-                    return res.status(403).json({ status: false, message: 'CSRF token is missing' });
+                    return res.status(403).json({ status: false, message: 'MISSING_TOKEN' });
+                }
+                // OPTIMIZASYON: Split yerine hızlı indeks bulma
+                const separatorIndex = token.indexOf(':');
+                if (separatorIndex === -1) {
+                    return res.status(403).json({ status: false, message: 'INVALID_FORMAT' });
                 }
-                const ip = req.headers['cf-connecting-ip'] || req.headers['x-forwarded-for'] || req.ip;
-                const userAgent = req.headers['user-agent'];
+                // Timestamp'i parse et
+                const timestampStr = token.substring(0, separatorIndex);
+                const receivedSignature = token.substring(separatorIndex + 1);
+                const timestamp = parseInt(timestampStr, 10);
+                // 1. ADIM: Kriptografik işlemden ÖNCE zaman kontrolü (En ucuz kontrol)
+                if (!timestamp || (Date.now() - timestamp > timeout)) {
+                    return res.status(403).json({ status: false, message: 'TOKEN_EXPIRED' });
+                }
+                // 2. ADIM: İmzayı yeniden oluştur
+                const ua = req.headers['user-agent'] || '';
+                const ip = getIP(req);
+                const expectedSignature = crypto.createHmac(ALGORITHM, secretKey)
+                                                .update(timestampStr + '|' + ip + '|' + ua)
+                                                .digest('base64');
-                const { valid, reason } = verifyToken(token, ip, userAgent);
+                // 3. ADIM: Timing-Safe karşılaştırma (Buffer seviyesinde)
+                const signatureBuf = Buffer.from(receivedSignature);
+                const expectedBuf = Buffer.from(expectedSignature);
-                if (!valid) {
-                    return res.status(403).json({ status: false, message: `CSRF_TOKEN_INVALID`, details: reason });
+                if (signatureBuf.length !== expectedBuf.length || !crypto.timingSafeEqual(signatureBuf, expectedBuf)) {
+                    console.log('CSRF token mismatch:', {
+                        received: receivedSignature,
+                        expected: expectedSignature,
+                        ip: ip,
+                        ua: ua
+                    });
+                    return res.status(403).json({ status: false, message: 'CSRF_TOKEN_INVALID' });
                 }
                 next();

package/old.js ADDED Viewed

@@ -0,0 +1,74 @@
+const CryptoJS = require('crypto-js');
+module.exports = function(options = {}) {
+    const {
+        secret = CryptoJS.lib.WordArray.random(32).toString(),
+        timeout = 1000 * 60 * 10,
+    } = options;
+    function generateToken(ip, userAgent) {
+        const timestamp = Date.now();
+        const data = JSON.stringify({ ip, userAgent, timestamp });
+        return CryptoJS.AES.encrypt(data, secret).toString();
+    }
+    function parseToken(token) {
+        try {
+            const bytes = CryptoJS.AES.decrypt(token, secret);
+            const decryptedData = bytes.toString(CryptoJS.enc.Utf8);
+            return JSON.parse(decryptedData);
+        } catch (error) {
+            throw new Error('Invalid token');
+        }
+    }
+    function verifyToken(token, ip, userAgent) {
+        try {
+            const { ip: tokenIp, userAgent: tokenUserAgent, timestamp } = parseToken(token);
+            if (tokenIp !== ip || tokenUserAgent !== userAgent) {
+                return { valid: false, reason: 'Token mismatch' };
+            }
+            if (Date.now() - timestamp > timeout) {
+                return { valid: false, reason: 'Token expired' };
+            }
+            return { valid: true };
+        } catch (error) {
+            return { valid: false, reason: error.message };
+        }
+    }
+    return {
+        middleware: function(req, res, next) {
+            req.csrfToken = function() {
+                const ip = req.headers['cf-connecting-ip'] || req.headers['x-forwarded-for'] || req.ip;
+                const userAgent = req.headers['user-agent'];
+                return generateToken(ip, userAgent);
+            };
+            next();
+        },
+        verifyToken: function() {
+            return function(req, res, next) {
+                const token = req.body._csrf || req.query._csrf || req.headers['x-csrf-token'];
+                if (!token) {
+                    return res.status(403).json({ status: false, message: 'CSRF token is missing' });
+                }
+                const ip = req.headers['cf-connecting-ip'] || req.headers['x-forwarded-for'] || req.ip;
+                const userAgent = req.headers['user-agent'];
+                const { valid, reason } = verifyToken(token, ip, userAgent);
+                if (!valid) {
+                    return res.status(403).json({ status: false, message: `CSRF_TOKEN_INVALID`, details: reason });
+                }
+                next();
+            };
+        }
+    };
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "csrf-shield",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "CSRF protection middleware for Express.js applications.",
   "main": "app.js",
   "scripts": {