zet-lib 2.0.2 → 3.0.1

package/lib/csrf.js

@@ -0,0 +1,129 @@
+"use strict";
+
+const crypto = require('crypto');
+
+/**
+ * CSRF Protection Middleware
+ * Compatible with csurf API for easy migration
+ * 
+ * @param {Object} options - Configuration options
+ * @param {Boolean} options.cookie - Use cookie-based storage (default: false, uses session)
+ * @param {String} options.cookieKey - Cookie name for secret (default: '_csrf')
+ * @param {String} options.value - Function to get token from request (default: reads from body/query/header)
+ * @param {Boolean} options.ignoreMethods - HTTP methods to ignore (default: ['GET', 'HEAD', 'OPTIONS'])
+ * @param {String} options.secretLength - Length of secret (default: 24)
+ */
+function csrf(options = {}) {
+  const opts = {
+    cookie: options.cookie !== undefined ? options.cookie : false,
+    cookieKey: options.cookieKey || '_csrf',
+    value: options.value || defaultValue,
+    ignoreMethods: options.ignoreMethods || ['GET', 'HEAD', 'OPTIONS'],
+    secretLength: options.secretLength || 24
+  };
+
+  // Generate a secret for cookie-based storage
+  function generateSecret() {
+    return crypto.randomBytes(opts.secretLength).toString('base64');
+  }
+
+  // Generate CSRF token from secret
+  function generateToken(secret) {
+    return crypto
+      .createHash('sha1')
+      .update(secret + 'csrfSecret')
+      .digest('base64');
+  }
+
+  // Get secret from cookie or session
+  function getSecret(req) {
+    if (opts.cookie) {
+      return req.cookies && req.cookies[opts.cookieKey];
+    } else {
+      return req.session && req.session._csrfSecret;
+    }
+  }
+
+  // Set secret in cookie or session
+  function setSecret(req, res, secret) {
+    if (opts.cookie) {
+      // Set cookie if not already set
+      if (!req.cookies || !req.cookies[opts.cookieKey]) {
+        res.cookie(opts.cookieKey, secret, {
+          httpOnly: true,
+          secure: process.env.NODE_ENV === 'production',
+          sameSite: 'strict',
+          maxAge: 86400000 // 24 hours
+        });
+        // Also set in req.cookies for immediate access
+        if (!req.cookies) {
+          req.cookies = {};
+        }
+        req.cookies[opts.cookieKey] = secret;
+      }
+    } else {
+      if (!req.session) {
+        throw new Error('Session is required when cookie option is false');
+      }
+      if (!req.session._csrfSecret) {
+        req.session._csrfSecret = secret;
+      }
+    }
+  }
+
+  // Default function to get token from request
+  function defaultValue(req) {
+    return (req.body && req.body._csrf) ||
+           (req.query && req.query._csrf) ||
+           (req.headers['csrf-token']) ||
+           (req.headers['xsrf-token']) ||
+           (req.headers['x-csrf-token']) ||
+           (req.headers['x-xsrf-token']);
+  }
+
+  // Middleware function
+  return function csrfMiddleware(req, res, next) {
+    // Get or create secret
+    let secret = getSecret(req);
+    if (!secret) {
+      secret = generateSecret();
+      setSecret(req, res, secret);
+    }
+
+    // Attach csrfToken method to request
+    req.csrfToken = function csrfToken() {
+      return generateToken(getSecret(req));
+    };
+
+    // Skip CSRF validation for ignored methods
+    if (opts.ignoreMethods.indexOf(req.method) !== -1) {
+      return next();
+    }
+
+    // Skip CSRF validation for AJAX calls (X-Requested-With header)
+    // This allows AJAX calls without token refresh
+    if (req.headers['x-requested-with'] === 'XMLHttpRequest' || req.xhr) {
+      return next();
+    }
+
+    // Get token from request
+    const token = opts.value(req);
+    const secretValue = getSecret(req);
+    const expectedToken = generateToken(secretValue);
+
+    // Validate token
+    if (!token || token !== expectedToken) {
+      const err = new Error('Invalid CSRF token');
+      err.status = 403;
+      err.code = 'EBADCSRFTOKEN';
+      return next(err);
+    }
+
+    // Token is valid, continue
+    next();
+  };
+}
+
+// Export the csrf function
+module.exports = csrf;
+

package/lib/generatorApi.js

@@ -3,7 +3,7 @@ const router = express.Router();
 const generatorApp = require("./generatorApp");
 const configGenerator = require('./config_generator');
 
-const csrf = require('csurf');
+const csrf = require('./csrf');
 const Model = require("./Model");
 const fs = require('fs-extra');
 //const {connection, Util} = require('zet-lib');

package/lib/index.js

@@ -28,7 +28,8 @@ const coreModules = {
   zPage: require("./zPage"),
   zTester: require("./zTester"),
   zCache: require("./zCache"),
-  zDropbox: require("./zDropbox")
+  zDropbox: require("./zDropbox"),
+  csrf: require("./csrf")
 };
 
 // Heavy dependencies - lazy loaded (only when accessed)

package/lib/views/router.txt

@@ -1,7 +1,6 @@
 const router = require('express').Router();
-const csrf = require('csurf');
+const {Util, access, connection, moduleLib, zDebug, zRoute, zRole, zDataTable, zForm, csrf} = require('zet-lib');
 const csrfProtection = csrf({cookie: true});
-const {Util, access, connection, moduleLib, zDebug, zRoute, zRole, zDataTable, zForm} = require('zet-lib');
 const MYMODEL = require('./../models/[[[TABLE_NAME]]]');
 
 router.get('/', async (req, res) => {

package/lib/views/zgenerator/routerApp.ejs

@@ -1,5 +1,5 @@
 const router = require('express').Router();
-const csrf = require('csurf');
+const {csrf} = require('zet-lib');
 const csrfProtection = csrf({cookie: true});
 const {Util, access, connection, moduleLib, zDebug, zRoute, zRole, zDataTable, zForm} = require('zet-lib');
 const MYMODEL = require('./../models/[[[TABLE_NAME]]]');

package/lib/zAppRouter.js

@@ -1,7 +1,7 @@
 require("dotenv").config();
 const express = require("express");
 const router = express.Router();
-const csrf = require("csurf");
+const csrf = require("./csrf");
 const csrfProtection = csrf({ cookie: true });
 const zRoute = require("./zRoute");
 const connection = require("./connection");

package/lib/zGeneratorRouter.js

@@ -1,6 +1,6 @@
 const express = require("express");
 const router = express.Router();
-const csrf = require("csurf");
+const csrf = require("./csrf");
 const csrfProtection = csrf({ cookie: true });
 const fs = require("fs-extra");
 const axios = require("axios");

package/lib/zMenuRouter.js

@@ -1,6 +1,6 @@
 const express = require('express');
 const router = express.Router();
-const csrf = require('csurf');
+const csrf = require('./csrf');
 const csrfProtection = csrf({cookie: true});
 const fs = require('fs-extra');
 //const {Util, connection, zRole, zCache } = require('zet-lib');

package/lib/zPage.js

@@ -52,7 +52,7 @@ zpage.build = async (req, res) => {
 
 zpage.coreCode = () => {
     return `const router = require('express').Router();
-const csrf = require('csurf');
+const {csrf} = require('zet-lib');
 const csrfProtection = csrf({cookie: true});
 const fs = require('fs-extra');
 const qs = require('qs');

package/lib/zRoleRouter.js

@@ -1,7 +1,7 @@
 const express = require('express')
 const router = express.Router()
 // setup route middlewares
-const csrf = require('csurf')
+const csrf = require('./csrf')
 const bodyParser = require('body-parser')
 const path = require('path')
 const parseForm = bodyParser.urlencoded({ extended: true })

package/lib/zViewGenerator.js

@@ -1,6 +1,6 @@
 const express = require('express');
 const router = express.Router();
-const csrf = require('csurf');
+const csrf = require('./csrf');
 const csrfProtection = csrf({cookie: true});
 const fs = require("fs-extra");
 const Util = require("./Util");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zet-lib",
-  "version": "2.0.2",
+  "version": "3.0.1",
   "description": "zet is a library that part of zet generator.",
   "engines": {
     "node": ">=18"
@@ -30,7 +30,6 @@
   "dependencies": {
     "axios": "^1.7.9",
     "convert-excel-to-json": "^1.7.0",
-    "csurf": "^1.11.0",
     "dotenv": "^16.5.0",
     "dropbox": "^10.34.0",
     "ejs": "^3.1.10",