implements potential csrf protection

2020-08-21 15:20:21 -04:00
parent 857cf088f6
commit 60552d9d86
2 changed files with 16 additions and 3 deletions
--- a/src/auth/getExtractJWT.js
+++ b/src/auth/getExtractJWT.js
@@ -10,9 +10,13 @@ const getExtractJWT = (config) => (req) => {
  const cookies = parseCookies(req);
  const tokenCookieName = `${config.cookiePrefix}-token`;

-  if (cookies && cookies[tokenCookieName]) {
-    const token = cookies[tokenCookieName];
-    return token;
+  if (cookies && cookies[tokenCookieName] && Array.isArray(config.csrf)) {
+    const { headers: { origin } = {} } = req;
+
+    if (config.csrf.indexOf(origin) > -1) {
+      const token = cookies[tokenCookieName];
+      return token;
+    }
  }

  return null;