-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Questions Regarding CSRF Token Handling in Next.js Page Router #75
Comments
The tokens are salted to generate randomness and mitigate against BREACH attacks.
You can fetch the token once (e.g. on initial page load) and use it for all your POST requests so your approach should work. Actually, I looked into adding a React context-helper to the library a while ago but at the time I couldn't figure out a way to make it developer friendly. If you like your approach and it's easy to share, it'd be a great addition to the library. |
Global solution for managing the CSRF token using React Context and the _app.tsx file. Below are the key parts of the code: csrfContext.tsx
_app.tsx
useFetch Hook
|
Currently, I understand that the _csrfSecret remains the same in cookies across multiple GET requests, even though each request provides a new CSRF token. What I’m thinking is:
Question
|
What are you trying to do? I thought you were going to use a React context in order to make a token available to your entire app but it sounds like you're considering making changes to the implementation itself. In terms of implementation, this library uses the signed double-submit cookie pattern described here. This pattern is well vetted so I'd be hesitant to take a different approach because you could introduce security holes into your app accidentally. |
This is what I have implemented in my project. |
I am not implementing this in my project. Just wanted to discuss this approach. |
I don't see any security issues with your CSRF context implementation. You're fetching the token server side and making it available to the app internally client-side which is fine. |
Token Generation Behavior:
Question 1:
If the CSRF token from the first page is still considered valid (because it matches the original _csrfSecret), what is the purpose of generating multiple tokens (one per page load)? Shouldn't the token be consistent as long as the _csrfSecret remains the same?
The examples provided in the documentation suggest fetching the CSRF token in the getServerSideProps of each page.
Question 2:
Instead of fetching the token on every page through getServerSideProps, can I fetch the CSRF token once in the _app.tsx using getInitialProps?
My idea is to:
The text was updated successfully, but these errors were encountered: