{
  "name": "csrf-lite",
  "version": "0.1.0",
  "description": "csrf protection for framework-less node sites",
  "main": "csrf.js",
  "scripts": {
    "test": "tap test/*.js"
  },
  "repository": {
    "type": "git",
    "url": "git://github.com/isaacs/csrf-lite"
  },
  "keywords": [
    "csrf",
    "cross",
    "site",
    "request",
    "forgery"
  ],
  "author": {
    "name": "Isaac Z. Schlueter",
    "email": "i@izs.me",
    "url": "http://blog.izs.me"
  },
  "license": "BSD",
  "devDependencies": {
    "cookies": "~0.3.6",
    "request": "~2.12.0",
    "tap": "0.4"
  },
  "readme": "# csrf-lite\n\nCSRF protection utility for framework-free node sites.\n\n## Usage\n\n```javascript\nvar csrf = require('csrf-lite');\nvar Cookies = require('cookies');\nvar qs = require('querystring');\n\nhttp.createServer(function (req, res) {\n  var c = new Cookies(req, res);\n\n  // use the session id as the token\n  var token = c.get('sessid');\n\n  // if the user doesn't have one, then give them one.\n  // it's just a random string anyway.\n  if (!token) {\n    token = csrf(token);\n    c.set('sessid', token);\n  }\n\n  switch (req.method) {\n    case 'GET': return showForm(req, res, token);\n    case 'POST': return validForm(req, res, token);\n  }\n}).listen(PORT)\n\nfunction showForm(req, res, token) {\n  res.end('<html><form method=post>' +\n          '<label>Name <input name=name></label>' +\n          // add the csrf token html\n          csrf.html(token) +\n          '<input type=submit value=GO>' +\n          '</form></html>');\n}\n\nfunction validForm(req, res, token) {\n  // note: this won't work for \n  req.setEncoding('utf8');\n  var data = '';\n  req.on('data', function(c) {\n    data += c;\n  });\n  req.on('end', function() {\n    data = querystring.parse(data);\n\n    // validate with the user's token\n    var valid = csrf.validate(data, token);\n    if (valid)\n      res.end('ok\\n');\n    else {\n      res.statusCode = 403;\n      res.end('csrf detected!\\n');\n    }\n  });\n}\n```\n\n## csrf(token)\n\nIf a token is supplied, then returns it.  If not, then it generates a\n192-bit random string and returns that.\n\nMake sure that you stash the token somewhere like a session or\nsomething, so that it can be retrieved later.\n\n## csrf.html(token)\n\nReturns an `<input>` field containing the token, for csrf validation\nin forms.\n\nIf no token is provided, then it returns nothing.\n\n## csrf.validate(data, token)\n\nValidates that the `x-csrf-token` field is equal to the token.  Call this\nwith the parsed form data on the other side.  Can also be used on\nrequest headers, query string, or any other random data.\n",
  "readmeFilename": "README.md",
  "_id": "csrf-lite@0.1.0",
  "_from": "csrf-lite@latest"
}
