Accept CSRF-Token and XSRF-Token request headers

closes #49 closes #50
expressjs · Feb 15, 2015 · a0fe52a · a0fe52a
1 parent aa0fd0e
commit a0fe52a
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 0 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Accept `CSRF-Token` and `XSRF-Token` request headers
   * Default `cookie.path` to `'/'`, if using cookies
   * deps: cookie-signature@1.0.6
   * deps: csrf@~2.0.6

diff --git a/README.md b/README.md
@@ -74,6 +74,8 @@ locations, in order:
   - `req.body._csrf` - typically generated by the `body-parser` module.
   - `req.query._csrf` - a built-in from Express.js to read from the URL
     query string.
+  - `req.headers['csrf-token']` - the `CSRF-Token` HTTP request header.
+  - `req.headers['xsrf-token']` - the `XSRF-Token` HTTP request header.
   - `req.headers['x-csrf-token']` - the `X-CSRF-Token` HTTP request header.
   - `req.headers['x-xsrf-token']` - the `X-XSRF-Token` HTTP request header.
 

diff --git a/index.js b/index.js
@@ -109,6 +109,8 @@ module.exports = function csurf(options) {
 function defaultValue(req) {
   return (req.body && req.body._csrf)
     || (req.query && req.query._csrf)
+    || (req.headers['csrf-token'])
+    || (req.headers['xsrf-token'])
     || (req.headers['x-csrf-token'])
     || (req.headers['x-xsrf-token']);
 }

diff --git a/test/test.js b/test/test.js
@@ -46,6 +46,40 @@ describe('csurf', function () {
     });
   });
 
+  it('should work in csrf-token header', function(done) {
+    var server = createServer()
+
+    request(server)
+    .get('/')
+    .expect(200, function (err, res) {
+      if (err) return done(err)
+      var token = res.text;
+
+      request(server)
+      .post('/')
+      .set('Cookie', cookies(res))
+      .set('csrf-token', token)
+      .expect(200, done)
+    });
+  });
+
+  it('should work in xsrf-token header', function(done) {
+    var server = createServer()
+
+    request(server)
+    .get('/')
+    .expect(200, function (err, res) {
+      if (err) return done(err)
+      var token = res.text;
+
+      request(server)
+      .post('/')
+      .set('Cookie', cookies(res))
+      .set('xsrf-token', token)
+      .expect(200, done)
+    });
+  });
+
   it('should work in x-csrf-token header', function(done) {
     var server = createServer()