Light

kentcdodds / epic-stack-with-csrf Goto Github PK

View Code? Open in Web Editor NEW

12.0 2.0 2.0 4.7 MB

An example of the Epic Stack with CSRF protection on forms

JavaScript 2.20% Dockerfile 0.88% TypeScript 92.08% CSS 4.84%

epic-stack epic-stack-example

epic-stack-with-csrf's Introduction

Epic Stack with CSRF Protection

This is an example of how to integrate the remix-utils package utilities for Cross-Site Request Forgery (CSRF) protection with the Epic Stack. The easiest way to explore the example is to pull up the commit history.

Following the steps laid out in the Remix Utils docs is sufficient for this:

Install remix-utils
Generate the authenticity token in the root.tsx loader (be certain to commit the session to set the cookie)
Wrap the App in the <AuthenticityTokenProvider /> and provide the token
Render a Form with the <AuthenticityTokenInput /> component
Verify in the Action using verifyAuthenticityToken and the session.

epic-stack-with-csrf's People

Contributors

Stargazers

Watchers

Forkers

zeugma48 devmaster921

epic-stack-with-csrf's Issues

Doc suggestion: verifyAuthenticityToken cannot be used with request if the request body has been accessed

I've just used this example to add csrf to the site I was working on, and tripped over an issue that the verifyAuthenticityToken function needs to be given the response before the body of it has been accessed.

e.g. this doesn't work (it throws due to the request body "having been used"):

	let session = await getSession(request.headers.get('Cookie'))
	const formData = await request.formData()
	await verifyAuthenticityToken(request, session)

This does work:

	let session = await getSession(request.headers.get('Cookie'))
	await verifyAuthenticityToken(request, session)
	const formData = await request.formData()

This also works

	let session = await getSession(request.headers.get('Cookie'))
	const formData = await request.formData()
	await verifyAuthenticityToken(formData, session)

Since I'd been wanting to wrap the verify in a try/catch and send back the contents of the form data in the catch clause's error, I'd defaulted to using the first way only to be very confused when the catch clause was firing (the error object seemed to be empty as a result of misconfiguring winston, so I wasn't getting any useful information from it). It's an unexpected limitation that is really easy to trip over.

(Thank you so much for your work and examples on the Epic Stack!)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.