Update type release v1.1.1

Author: khanh2906

SECURITY.md

@@ -4,7 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.0.0   | :white_check_mark: |
+| 1.0.3   | :white_check_mark: |
+| 1.1.1   | :white_check_mark: |
 
 
 ## Reporting a Vulnerability

lib/cjs/index.js

@@ -1,31 +1,30 @@
-"use strict"
+"use strict";
 
 /**
- * ************************************
- *   Cross-site request forgery
- * ************************************
+ * @module csrf
+ * @description Cross-site request forgery (CSRF) protection middleware.
  */
 
-const crypto = require("crypto")
+const crypto = require("crypto");
 
 /**
  * @typedef {Object} CsrfConfig
- * @property {number} tokenLength
- * @property {Object} storage
- * @property {string} storage.type
- * @property {Object} storage.options
- * @property {string} param
- * @property {string} value
- * @property {function} errorResponse
- * @property {function} protectCondition
- * @property {function} getTransmitToken
+ * @property {number} [tokenLength=16] - The length of the CSRF token in bytes.
+ * @property {Object} [storage] - The storage configuration for the CSRF token.
+ * @property {string} [storage.type='session'] - The type of storage to use for the CSRF token ('session' or 'cookie').
+ * @property {Object} [storage.options={}] - Options to pass to the cookie storage (e.g., `domain`, `path`, `secure`, `httpOnly`). Only applicable when `storage.type` is 'cookie'.
+ * @property {string} [param='_csrf'] - The name of the request body or query parameter to check for the CSRF token.
+ * @property {string} [value='csrfToken'] - The name of the local variable to set the CSRF token to for use in templates.
+ * @property {function} [errorResponse] - A function to call when the CSRF token is invalid.  It should accept `(req, res, next)` and send an appropriate error response.
+ * @property {function} [protectCondition] - A function to determine if CSRF protection should be applied.  It should accept `(req)` and return `true` to protect, `false` to skip.
+ * @property {function} [getTransmitToken] - A function to retrieve the CSRF token from the request.  It should accept `(req)` and return the token string or `null`.
  */
 
 /**
  * @type {Object}
  * @property {Object} STORAGE
- * @property {string} STORAGE.SESSION
- * @property {string} STORAGE.COOKIE
+ * @property {string} STORAGE.SESSION - String constant representing session storage type.
+ * @property {string} STORAGE.COOKIE - String constant representing cookie storage type.
  */
 const CONSTANT = {
 	STORAGE: {
@@ -36,20 +35,21 @@ const CONSTANT = {
 
 /**
  * @typedef {Object} Csrf
- * @property {string} param
- * @property {string} value
- * @property {Object} storage
- * @property {string} storage.type
- * @property {Object} storage.options
- * @property {number} tokenLength
- * @property {function} getToken
- * @property {function} clearToken
- * @property {function} protectCondition
- * @property {function} getTransmitToken
- * @property {function} errorResponse
+ * @property {string} param - The name of the request body or query parameter to check for the CSRF token.
+ * @property {string} value - The name of the local variable to set the CSRF token to for use in templates.
+ * @property {Object} storage - The storage configuration for the CSRF token.
+ * @property {string} storage.type - The type of storage to use for the CSRF token ('session' or 'cookie').
+ * @property {Object} storage.options - Options to pass to the cookie storage (e.g., `domain`, `path`, `secure`, `httpOnly`).
+ * @property {number} tokenLength - The length of the CSRF token in bytes.
+ * @property {function} getToken - A function to get the CSRF token from the request.
+ * @property {function} clearToken - A function to clear the CSRF token from the request and/or response.
+ * @property {function} protectCondition - A function to determine if CSRF protection should be applied.
+ * @property {function} getTransmitToken - A function to retrieve the CSRF token from the request.
+ * @property {function} errorResponse - A function to call when the CSRF token is invalid.
  */
 
 /**
+ * @private
  * @type {Csrf}
  */
 let csrf = {
@@ -60,14 +60,28 @@ let csrf = {
 		options: {}
 	},
 	tokenLength: 16,
+	/**
+	 * Gets the CSRF token from the request, based on the configured storage type.
+	 * @param {Object} req - The Express request object.
+	 * @returns {string|null} The CSRF token, or null if not found.
+	 */
 	getToken: (req) => {
 		switch (csrf.storage.type) {
 			case CONSTANT.STORAGE.SESSION:
 				return req.session[csrf.param] || null;
 			case CONSTANT.STORAGE.COOKIE:
 				return req.cookies[csrf.param] || null;
+			default:
+				console.warn("CSRF: Unknown storage type:", csrf.storage.type);
+				return null; // Or throw an error
 		}
 	},
+	/**
+	 * Clears the CSRF token from the request and/or response, based on the configured storage type.
+	 * @param {Object} req - The Express request object.
+	 * @param {Object} res - The Express response object.
+	 * @returns {void}
+	 */
 	clearToken: (req, res) => {
 		switch (csrf.storage.type) {
 			case CONSTANT.STORAGE.SESSION:
@@ -76,14 +90,34 @@ let csrf = {
 			case CONSTANT.STORAGE.COOKIE:
 				res.clearCookie(csrf.param)
 				break
+			default:
+				console.warn("CSRF: Unknown storage type:", csrf.storage.type);
+				break;
 		}
 	},
+	/**
+	 * Determines if CSRF protection should be applied to the request.
+	 * @param {Object} req - The Express request object.
+	 * @returns {boolean} True if CSRF protection should be applied, false otherwise.
+	 */
 	protectCondition: (req) => {
 		return req.method === 'POST' || req.method === 'PUT' || req.method === 'DELETE'
 	},
+	/**
+	 * Gets the CSRF token from the request headers or body.
+	 * @param {Object} req - The Express request object.
+	 * @returns {string|null|undefined} The CSRF token, or undefined if not found.
+	 */
 	getTransmitToken: (req) => {
 		return req.body._csrf || req.headers['csrf-token'];
 	},
+	/**
+	 * Sends an error response when the CSRF token is invalid.
+	 * @param {Object} req - The Express request object.
+	 * @param {Object} res - The Express response object.
+	 * @param {function} next - The Express next function.
+	 * @returns {void}
+	 */
 	errorResponse: (req, res, next) => {
 		res.status(403).send('CSRF token invalid');
 	}
@@ -92,10 +126,16 @@ let csrf = {
 module.exports = {
 	CONSTANT,
 	/**
-	 * Generate CSRF protection middleware
-	 * 
-	 * @param {CsrfConfig} [csrfConfig]
-	 * @returns {function} Middleware function
+	 * Generates CSRF protection middleware.
+	 *
+	 * @param {CsrfConfig} [csrfConfig] - The CSRF configuration object.
+	 * @returns {function} An Express middleware function.
+	 *
+	 * @example
+	 * const csrfMiddleware = csrf.generate({
+	 *   storage: { type: 'cookie', options: { secure: true } }
+	 * });
+	 * app.use(csrfMiddleware);
 	 */
 	generate: (csrfConfig = {
 		tokenLength: 16,
@@ -109,8 +149,18 @@ module.exports = {
 		protectCondition: csrf.protectCondition,
 		getTransmitToken: csrf.getTransmitToken
 	}) => {
+		//@ts-ignore
 		csrf = { ...csrf, ...csrfConfig };
 		return async (req, res, next) => {
+			if (csrfConfig.storage.type === CONSTANT.STORAGE.SESSION && typeof req.session === 'undefined') {
+				throw new Error('CSRF: Session middleware (e.g., express-session) is required when using session storage.');
+			}
+
+			// Check for cookie middleware
+			if (csrfConfig.storage.type === CONSTANT.STORAGE.COOKIE && typeof req.cookies === 'undefined') {
+				throw new Error('CSRF: cookie-parser middleware is required when using cookie storage.');
+			}
+
 			try {
 				if (!csrf.getToken(req)) {
 					const token = crypto.randomBytes(csrf.tokenLength).toString('hex');
@@ -122,6 +172,9 @@ module.exports = {
 						case CONSTANT.STORAGE.COOKIE:
 							res.cookie(csrf.param, token, csrf.storage.options);
 							break;
+						default:
+							console.warn("CSRF: Unknown storage type:", csrf.storage.type);
+							break;
 					}
 					req.currentCsrfToken = token
 				}
@@ -133,22 +186,32 @@ module.exports = {
 		}
 	},
 	/**
-	 * Set CSRF token in response locals
-	 * 
-	 * @param {Object} req
-	 * @param {Object} res
-	 * @param {function} next
+	 * Sets the CSRF token in the response locals, making it available to templates.
+	 *
+	 * @param {Object} req - The Express request object.
+	 * @param {Object} res - The Express response object.
+	 * @param {function} next - The Express next function.
+	 * @returns {void}
+	 *
+	 * @example
+	 * app.use(csrf.setTokenLocalsParam);
 	 */
 	setTokenLocalsParam: (req, res, next) => {
 		res.locals[csrf.value] = csrf.getToken(req) || req.currentCsrfToken
 		next();
 	},
 	/**
-	 * CSRF protection middleware
-	 * 
-	 * @param {Object} req
-	 * @param {Object} res
-	 * @param {function} next
+	 * Protects routes from CSRF attacks by validating the CSRF token.
+	 *
+	 * @param {Object} req - The Express request object.
+	 * @param {Object} res - The Express response object.
+	 * @param {function} next - The Express next function.
+	 * @returns {void}
+	 *
+	 * @example
+	 * app.post('/form', csrf.protect, (req, res) => {
+	 *   // ... handle form submission
+	 * });
 	 */
 	protect: (req, res, next) => {
 		try {

package.json

@@ -1,14 +1,16 @@
 {
   "name": "@knfs-tech/csrf",
-  "version": "1.0.3",
+  "version": "1.1.1",
   "description": "Cross-site request forgery module",
   "main": "./lib/cjs/index.js",
   "module": "./lib/esm/index.js",
+  "types": "./types/index.d.ts",
   "scripts": {
     "test": "jest --runInBand --force-exit --detectOpenHandles"
   },
   "files": [
-    "lib"
+    "lib",
+    "types"
   ],
   "repository": {
     "type": "git",
@@ -34,6 +36,8 @@
     "express-session": "^1.18.0",
     "jest": "^29.7.0",
     "sinon": "^18.0.0",
-    "supertest": "^7.0.0"
+    "supertest": "^7.0.0",
+    "typescript": "^5.8.3",
+    "undici-types": "^7.8.0"
   }
 }

tsconfig.json

@@ -0,0 +1,17 @@
+{
+	"compilerOptions": {
+		"target": "ES2020",
+		"module": "ESNext",
+		"declaration": true,
+		"emitDeclarationOnly": true,
+		"outDir": "types",
+		"allowJs": true,
+		"checkJs": true,
+		"moduleResolution": "node",
+		"esModuleInterop": true,
+		"skipLibCheck": true
+	},
+	"include": [
+		"lib/cjs"
+	]
+}

types/index.d.ts

@@ -0,0 +1,103 @@
+declare namespace _exports {
+    export { CsrfConfig, Csrf };
+}
+declare namespace _exports {
+    export { CONSTANT };
+    export function generate(csrfConfig?: CsrfConfig): Function;
+    export function setTokenLocalsParam(req: any, res: any, next: Function): void;
+    export function protect(req: any, res: any, next: Function): void;
+}
+export = _exports;
+type CsrfConfig = {
+    /**
+     * - The length of the CSRF token in bytes.
+     */
+    tokenLength?: number;
+    /**
+     * - The storage configuration for the CSRF token.
+     */
+    storage?: {
+        type?: string;
+        options?: any;
+    };
+    /**
+     * - The name of the request body or query parameter to check for the CSRF token.
+     */
+    param?: string;
+    /**
+     * - The name of the local variable to set the CSRF token to for use in templates.
+     */
+    value?: string;
+    /**
+     * - A function to call when the CSRF token is invalid.  It should accept `(req, res, next)` and send an appropriate error response.
+     */
+    errorResponse?: Function;
+    /**
+     * - A function to determine if CSRF protection should be applied.  It should accept `(req)` and return `true` to protect, `false` to skip.
+     */
+    protectCondition?: Function;
+    /**
+     * - A function to retrieve the CSRF token from the request.  It should accept `(req)` and return the token string or `null`.
+     */
+    getTransmitToken?: Function;
+};
+type Csrf = {
+    /**
+     * - The name of the request body or query parameter to check for the CSRF token.
+     */
+    param: string;
+    /**
+     * - The name of the local variable to set the CSRF token to for use in templates.
+     */
+    value: string;
+    /**
+     * - The storage configuration for the CSRF token.
+     */
+    storage: {
+        type: string;
+        options: any;
+    };
+    /**
+     * - The length of the CSRF token in bytes.
+     */
+    tokenLength: number;
+    /**
+     * - A function to get the CSRF token from the request.
+     */
+    getToken: Function;
+    /**
+     * - A function to clear the CSRF token from the request and/or response.
+     */
+    clearToken: Function;
+    /**
+     * - A function to determine if CSRF protection should be applied.
+     */
+    protectCondition: Function;
+    /**
+     * - A function to retrieve the CSRF token from the request.
+     */
+    getTransmitToken: Function;
+    /**
+     * - A function to call when the CSRF token is invalid.
+     */
+    errorResponse: Function;
+};
+/**
+ * @typedef {Object} CsrfConfig
+ * @property {number} [tokenLength=16] - The length of the CSRF token in bytes.
+ * @property {Object} [storage] - The storage configuration for the CSRF token.
+ * @property {string} [storage.type='session'] - The type of storage to use for the CSRF token ('session' or 'cookie').
+ * @property {Object} [storage.options={}] - Options to pass to the cookie storage (e.g., `domain`, `path`, `secure`, `httpOnly`). Only applicable when `storage.type` is 'cookie'.
+ * @property {string} [param='_csrf'] - The name of the request body or query parameter to check for the CSRF token.
+ * @property {string} [value='csrfToken'] - The name of the local variable to set the CSRF token to for use in templates.
+ * @property {function} [errorResponse] - A function to call when the CSRF token is invalid.  It should accept `(req, res, next)` and send an appropriate error response.
+ * @property {function} [protectCondition] - A function to determine if CSRF protection should be applied.  It should accept `(req)` and return `true` to protect, `false` to skip.
+ * @property {function} [getTransmitToken] - A function to retrieve the CSRF token from the request.  It should accept `(req)` and return the token string or `null`.
+ */
+/**
+ * @type {Object}
+ * @property {Object} STORAGE
+ * @property {string} STORAGE.SESSION - String constant representing session storage type.
+ * @property {string} STORAGE.COOKIE - String constant representing cookie storage type.
+ */
+declare const CONSTANT: any;