csrf-protection icon indicating copy to clipboard operation
csrf-protection copied to clipboard
verified publisher icon fastify

Disable CSRF Token Reuse

Open raviroshanmehta opened this issue 2 years ago • 3 comments

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the issue has not already been raised

Issue

Thanks for this great plug in.

I have one concern. Save CSRF token I can use multiple time for the verification. Is there any option where I can make sure that token is used only once.

raviroshanmehta avatar Feb 20 '23 13:02 raviroshanmehta

thanks for reporting!

Save CSRF token I can use multiple time for the verification. Is there any option where I can make sure that token is used only once.

Unfortunately, not at this point. I never implemented this because I think it would be extremely hard to create useful applications with it: the amount of code on the frontend to handle that kind of update is significant and hard to make it refresh the token reliably.

mcollina avatar Feb 20 '23 14:02 mcollina

Can you please guide how we can restrict this token with one time use only without loosing this awesome core plugin ? I really don't want to use any other module or custom code for adding layer of csrf security in my fastify project.

raviroshanmehta avatar Feb 24 '23 06:02 raviroshanmehta

What you should do is to store your tokens in a database and then validate against that. You'd need to send a PR for this feature. Essentially we would need to add a custom function to store the tokens and one to validate them / flag them as used.

mcollina avatar Feb 24 '23 14:02 mcollina