/** * CSRF Protection Usage Example * Demonstrates how to use the CSRF protection system */ import { CSRFManager } from './csrf-manager'; import type { CSRFConfig, CSRFRequest } from './types'; // Example configuration const config: CSRFConfig = { secret: 'your-secret-key-here-should-be-random-and-secure', tokenExpiry: 60 * 60 * 1000, // 1 hour cookieName: '__csrf-token', headerName: 'X-CSRF-Token', fieldName: '_csrf', secureCookie: true, httpOnlyCookie: true, sameSite: 'strict' }; // Initialize CSRF manager const csrfManager = new CSRFManager(config); // Example 1: Session-based CSRF protection function sessionBasedExample() { console.log('=== Session-based CSRF Protection ==='); const sessionId = 'user-session-12345'; // Generate a token for the session const token = csrfManager.generateToken(sessionId); console.log('Generated token:', token.value); // Generate HTML form field const formField = csrfManager.generateFormField(sessionId); console.log('Form field HTML:', formField); // Validate the token const validationResult = csrfManager.validateToken(token.value, sessionId); console.log('Token validation:', validationResult); // Simulate a request with the token const request: CSRFRequest = { headers: { 'X-CSRF-Token': token.value }, sessionId }; const requestValidation = csrfManager.validateRequest(request); console.log('Request validation:', requestValidation); } // Example 2: Double-submit cookie pattern function doubleSubmitExample() { console.log('\n=== Double-Submit Cookie Pattern ==='); const sessionId = 'user-session-67890'; // Set up double-submit protection const response = csrfManager.setupDoubleSubmitProtection(sessionId); console.log('Response headers:', response.headers); console.log('Response cookies:', response.cookies); // Simulate a request with matching tokens const request: CSRFRequest = { headers: { 'X-CSRF-Token': response.headers['X-CSRF-Token'] || '' }, cookies: { '__csrf-token': response.cookies[0]?.value || '' } }; const validationResult = csrfManager.validateRequest(request); console.log('Double-submit validation:', validationResult); } // Example 3: Client-side integration function clientSideExample() { console.log('\n=== Client-side Integration ==='); // Generate client-side script const clientScript = csrfManager.generateClientScript('user-session-12345'); console.log('Client script length:', clientScript.length, 'characters'); console.log('Script includes form injection:', clientScript.includes('injectFormTokens')); console.log('Script includes AJAX interceptor:', clientScript.includes('setupAjaxInterceptor')); } // Example 4: Express.js middleware example function expressMiddlewareExample() { console.log('\n=== Express.js Middleware Example ==='); // This would be used in an Express.js application const csrfMiddleware = (req: any, res: any, next: any) => { // Skip CSRF protection for GET requests if (req.method === 'GET') { return next(); } // Extract session ID (from session middleware) const sessionId = req.session?.id || req.sessionID; if (!sessionId) { return res.status(403).json({ error: 'Session required' }); } // Create request object const csrfRequest: CSRFRequest = { headers: req.headers, body: req.body, cookies: req.cookies, sessionId }; // Validate CSRF protection const validation = csrfManager.validateRequest(csrfRequest); if (!validation.valid) { return res.status(403).json({ error: 'CSRF validation failed', message: validation.error }); } next(); }; console.log('Express middleware created'); console.log('Usage: app.use(csrfMiddleware)'); } // Example 5: Statistics and monitoring function statisticsExample() { console.log('\n=== Statistics and Monitoring ==='); // Generate some tokens for different sessions csrfManager.generateToken('session-1'); csrfManager.generateToken('session-1'); csrfManager.generateToken('session-2'); const stats = csrfManager.getStats(); console.log('CSRF Statistics:', stats); const config = csrfManager.getConfig(); console.log('CSRF Configuration:', { tokenExpiry: config.tokenExpiry, cookieName: config.cookieName, headerName: config.headerName, fieldName: config.fieldName }); } // Run examples if (require.main === module) { sessionBasedExample(); doubleSubmitExample(); clientSideExample(); expressMiddlewareExample(); statisticsExample(); // Clean up csrfManager.destroy(); } export { clientSideExample, doubleSubmitExample, expressMiddlewareExample, sessionBasedExample, statisticsExample };