Only the last csrfToken generated will be valid

[chr15m]

If any token other than the last call to req.csrfToken() is passed it fails. In a situation where multiple clients are loading the page and each getting a token this means most form submissions will fail, because only the client last loading the page will have a valid csrf token.

To replicate:

1. Run your example server.
2. Verify you can submit correctly.
3. Reload the page (so csrfToken is set again).
4. Without submitting, open a new tab (so a new csrfToken is generated).
5. Now go back to the first tab and submit.
6. Observe the error as the csrf check things the first token generated is now invalid.

Maybe I'm missing something obvious but it seems to me this renders the library as not fit for purpose.

[valexandersaulys]

Taking a look at the source code, I don't see this occurring.

The csrfToken is generated on a per-request basis but its compared within the request. There's nothing storing the state server-side that would be reset.

I wrote this test to mimic what you're describing and it seems fine to me.

  it("allows for cookie reuse", () => {
    // get the page once
    const reqOne = mockRequest({
      method: "GET",
      signedCookies: {},
      body: {},
      headers: {
        referer: "http://localhost:3001"
      }
    });
    const resOne = mockResponse({
      cookie: sinon.stub()
    });
    const nextOne = sinon.stub();
    this.csrfMiddlware(reqOne, resOne, nextOne);
    assert.isFunction(reqOne.csrfToken);
    const csrfTokenOne = reqOne.csrfToken();
    assert.isNotNull(csrfTokenOne);

    // get the page a second time
    const reqTwo = mockRequest({
      method: "GET",
      signedCookies: {},
      body: {},
      headers: {
        referer: "http://localhost:3001"
      }
    });
    const resTwo = mockResponse({
      cookie: sinon.stub()
    });
    const nextTwo = sinon.stub();
    this.csrfMiddlware(reqTwo, resTwo, nextTwo);
    assert.isFunction(reqTwo.csrfToken);
    const csrfTokenTwo = reqTwo.csrfToken();
    assert.isNotNull(csrfTokenTwo);

    // submit the first page request
    const reqThree = mockRequest({
      method: "POST",
      signedCookies: {
        csrfToken: encryptCookie(csrfTokenOne, this.secret)
      },
      body: {
        _csrf: csrfTokenOne
      },
      headers: {
        referer: "http://localhost:3001"
      }
    });
    const resThree = mockResponse({
      cookie: sinon.stub()
    });
    const nextThree = sinon.stub();
    assert.isNotFunction(reqThree.csrfToken);
    this.csrfMiddlware(reqThree, resThree, nextThree);
    assert.isTrue(nextThree.calledOnce);
  });

[chr15m]

Have you actually tried running your demo server and accessing it from two tabs and observing that one of the tabs is unable to log in and throws a CSRF error?

[valexandersaulys]

Ok I see what you mean. Given the test passes, this smells like something to do with how browsers operate and thus is related to the configuration (which may be why you mentioned it in a separate thread).

There will have to be some investigation into modifying those cookie parameters. I'm open to suggestions on how they should be set.

Unfortunately my time is limited and I don't deal with javascript on a regular basis. I'll get to this when I can.