All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
3.0.7 (2024-09-21)
- Marked >= 3.0.7 as security supported version
- support optional stateless association of token with session (710d2f6)
Added the getSessionIdentifier parameter to the csrf-csrf configuration. By providing the getSessionIdentifier callback, generated tokens will only be valid for the original session identifier they were generated for.
For example: (req) => req.session.id
The token will now be signed with the session id included, this means a generated CSRF token will only be valid for the session it was generated for. This also means that if you rotate your sessions (which you should) you will also need to generate a new CSRF token for the session after rotating it.
3.0.6 (2024-05-17)
- No changes, just a bump to fix broken release
3.0.5 (2024-05-15)
- ensure types are correctly exported (a07ff81)
3.0.4 (2024-04-03)
3.0.3 (2023-12-16)
- improve CommonJS TypeScript support (a9dfbb7)
- remove duplicate string in union type RequestMethod (4e9f344)
3.0.2 (2023-11-05)
- support multiple secrets (backwards compatible) (51da818)
- accept validateOnGeneration param in req.csrfToken (0d6187a)
- picking a secret in generateTokenAndHash (2b4f540)
- typing in CsrfTokenCreator (8f4d03f)
3.0.1 (2023-09-15)
- Previously csrf-csrf would overwrite any existing token when calling
generateTokenorreq.csrfToken, this is no longer the case. By default these methods will now return an existing token, making token-per-session the default behaviour. To maintain previous behaviour you will need to set theoverwriteparameter to true when callinggenerateTokenorreq.csrfToken generateTokenhas had the request and response parameters swapped, you will need to update your generateToken invocations to:generateToken(req, res)