Juan Olvera
Juan Olvera
How far we are from releasing v0.12 and patch this?
@Get-DevVed-YT the secret shouldn't reach the browser. We use the secret to generate a token on the server-side. The token then is exposed to the browser by saving it in...
@Esarhaddon it's not a dumb question at all, actually, it's a very valid question and there was a bug allowing unprotected API routes to provide CSRF tokens. I'm working on...
My idea of the implementation was to generate the csrf token when a user visits the page. We don't expose the secret to the client, but the token that we...
- [ ] Integrate https://github.com/j0lv3r4/next-csrf
@lardissone with the new API changes the expiration is set in the cookies with `maxAge`. This will work well for API routes and SSR pages with `getServerSideProps`, but not on...
Role permission isn't implemented yet. I hope to work on a roadmap soon that would include an implementation.
@sha256 you are right. As an additional security layer, if the user provides a secret, the token is HMAC signed, but only If a secret is provided. The changes you...
I need this feature. Are the owners of the repo active lately? I don't want to put in the work if they aren't reviewing pull requests.
@matteing thanks for the reply and the initial work! > Package seems long unmaintained. ugh, forking it is then.