backport: hmac key (#132)

fastify · Apr 20, 2023 · 4d95248 · 4d95248
1 parent 7534c83
commit 4d95248
Show file tree

Hide file tree

Showing 5 changed files with 100 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -162,6 +162,7 @@ You can also pass the [cookie serialization](https://github.com/fastify/fastify-
 The option `userInfo` is required if `getUserInfo` has been specified in the module option.
 The provided `userInfo` is hashed  inside the csrf token and it is not directly exposed.
 This option is needed to protect against cookie tossing.
+The option `csrfOpts.hmacKey` is required if `getUserInfo` has been specified in the module option in combination with using [@fastify/cookie](https://github.com/fastify/fastify-cookie) as sessionPlugin
 
 ### `fastify.csrfProtection(request, reply, next)`
 

diff --git a/index.d.ts b/index.d.ts
@@ -38,6 +38,11 @@ export interface FastifyCsrfOptions {
   sessionKey?: string;
   getToken?: GetTokenFn;
   sessionPlugin?: '@fastify/cookie' | '@fastify/session' | '@fastify/secure-session';
+  csrfOpts: CSRFOptions;
+}
+
+export interface CSRFOptions {
+  hmacKey: string;
 }
 
 declare const fastifyCsrf: FastifyPlugin<FastifyCsrfOptions>;

diff --git a/index.js b/index.js
@@ -39,6 +39,11 @@ async function csrfPlugin (fastify, opts) {
   if (opts.getUserInfo) {
     csrfOpts.userInfo = true
   }
+
+  if (sessionPlugin === '@fastify/cookie' && csrfOpts.userInfo) {
+    assert(csrfOpts.hmacKey, 'csrfOpts.hmacKey is required')
+  }
+
   const tokens = new CSRF(csrfOpts)
 
   const isCookieSigned = cookieOpts && cookieOpts.signed

diff --git a/test/index.test-d.ts b/test/index.test-d.ts
@@ -6,6 +6,7 @@ async function run () {
   const fastify = Fastify()
   await fastify.register(FastifyCookie)
   await fastify.register(FastifyCsrf)
+  fastify.register(FastifyCsrf, { csrfOpts: { hmacKey: 'hmac' } })
 
   fastify.route({
     method: 'GET',

diff --git a/test/user-info.test.js b/test/user-info.test.js
@@ -17,6 +17,9 @@ test('Cookies with User-Info', async t => {
   await fastify.register(fastifyCsrf, {
     getUserInfo (req) {
       return userInfoDB[req.body.username]
+    },
+    csrfOpts: {
+      hmacKey: 'foo'
     }
   })
 
@@ -73,6 +76,9 @@ test('Session with User-Info', async t => {
     sessionPlugin: '@fastify/session',
     getUserInfo (req) {
       return req.session.username
+    },
+    csrfOpts: {
+      hmacKey: 'foo'
     }
   })
 
@@ -122,6 +128,9 @@ test('SecureSession with User-Info', async t => {
     sessionPlugin: '@fastify/secure-session',
     getUserInfo (req) {
       return req.session.get('username')
+    },
+    csrfOpts: {
+      hmacKey: 'foo'
     }
   })
 
@@ -163,3 +172,82 @@ test('SecureSession with User-Info', async t => {
 
   t.equal(response2.statusCode, 200)
 })
+
+test('Validate presence of hmac key with User-Info /1', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    }
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /2', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/cookie'
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /3', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    csrfOpts: {
+      hmacKey: undefined
+    }
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /4', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifyCookie)
+
+  await t.rejects(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/cookie',
+    csrfOpts: {
+      hmacKey: undefined
+    }
+  }), Error('csrfOpts.hmacKey is required'))
+})
+
+test('Validate presence of hmac key with User-Info /5', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifySecureSession, { key, cookie: { path: '/', secure: false } })
+
+  await t.resolves(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/secure-session'
+  }))
+})
+
+test('Validate presence of hmac key with User-Info /6', async (t) => {
+  const fastify = Fastify()
+  await fastify.register(fastifySecureSession, { key, cookie: { path: '/', secure: false } })
+
+  await t.resolves(fastify.register(fastifyCsrf, {
+    getUserInfo (req) {
+      return req.session.get('username')
+    },
+    sessionPlugin: '@fastify/secure-session',
+    csrfOpts: {
+      hmacKey: 'foo'
+    }
+  }))
+})