JWT hooks and CSRF protection
Configuration
The configuration settings.jwt.secretOrPublicKey
has been removed. Use settings.jwt.secret
or settings.jwt.publicKey
instead.
The configuration settings.jwt.cookieName
has been renamed to settings.jwt.cookie.name
.
See also this.
CSRF protection
The package @foal/csrf
has been removed. In version 2, the CSRF protection is directly included in the JWT hooks and can be enabled with settings.jwt.csrf.enabled
(the configuration key settings.csrf.enabled
has been removed).
npm uninstall @foal/csrf
There is no need anymore to provide a CSRF secret.
There is no need anymore to set manually the value of the sameSite
cookie attribute in the config.
There is no need anymore to specify an expire time for the CSRF cookie.
All of this is now managed by the framework.
The best way to use the new CSRF protection is to go directly to the CSRF page.
Warning: Using the below functions setAuthCookie
and removeAuthCookie
is required in order to provide CSRF protection.
Warning: In order to work better with some popular frontend frameworks, the default name of the CSRF cookie has been changed from csrfToken
to XSRF-TOKEN
.
New features
New features have been added to reduce the amount of code needed to use JWT as well as to make it easier to use. You can consult the Quick start page to see how to use these features.
JWT cookies
The JWT package has two new functions setAuthCookie
and removeAuthCookie
to manage JWT with cookies.
Read secrets and private/public keys
Secrets and private/public keys can be read from the configuration with the two new functions getSecretOrPrivateKey
and getSecretOrPublicKey
.
Encoded secrets with the configuration key settings.jwt.secretEncoding
are supported.