fix: resolve flaky CSRF token verification tests (#4)

Author: Aqil-Ahmad

example.test.ts

@@ -78,7 +78,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(invalidRes.status).toBe(403);
   });
 
-  test.skip("should accept POST with valid token", async () => {
+  test("should accept POST with valid token", async () => {
     const app = new Elysia()
       .use(csrf({ cookie: true }))
       .get("/token", ({ csrfToken }) => ({ token: csrfToken() }))
@@ -104,7 +104,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(data).toHaveProperty("success", true);
   });
 
-  test.skip("should extract token from custom header", async () => {
+  test("should extract token from custom header", async () => {
     const app = new Elysia()
       .use(
         csrf({
@@ -143,7 +143,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(successRes.status).toBe(200);
   });
 
-  test.skip("should allow custom ignored methods", async () => {
+  test("should allow custom ignored methods", async () => {
     const app = new Elysia()
       .use(
         csrf({
@@ -166,7 +166,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(getRes.status).toBe(200);
   });
 
-  test.skip("should apply custom cookie configuration", async () => {
+  test("should apply custom cookie configuration", async () => {
     const app = new Elysia()
       .use(
         csrf({
@@ -191,7 +191,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(cookies).toContain("SameSite=Strict");
   });
 
-  test.skip("should allow token reuse across requests", async () => {
+  test("should allow token reuse across requests", async () => {
     const app = new Elysia()
       .use(csrf({ cookie: true }))
       .get("/token", ({ csrfToken }) => ({ token: csrfToken() }))
@@ -227,7 +227,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(req2.status).toBe(200);
   });
 
-  test.skip("should support multiple token sources", async () => {
+  test("should support multiple token sources", async () => {
     const app = new Elysia()
       .use(
         csrf({
@@ -279,7 +279,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(headerRes.status).toBe(200);
   });
 
-  test.skip("should work with HTML forms", async () => {
+  test("should work with HTML forms", async () => {
     const app = new Elysia()
       .use(csrf({ cookie: true }))
       .get("/form", ({ csrfToken }) => {
@@ -320,7 +320,7 @@ describe("Elysia CSRF Plugin", () => {
     expect(submitRes.status).toBe(200);
   });
 
-  test.skip("should support SPA pattern", async () => {
+  test("should support SPA pattern", async () => {
     const app = new Elysia()
       .use(
         csrf({

src/index.ts

@@ -42,7 +42,11 @@ function tokenize(secret: string, salt: string): string {
 /**
  * Verify if a given token is valid for a given secret.
  */
-function verifyToken(secret: string, token: string): boolean {
+function verifyToken(
+  secret: string,
+  token: string,
+  saltLength: number
+): boolean {
   if (!secret || typeof secret !== "string") {
     return false;
   }
@@ -51,13 +55,14 @@ function verifyToken(secret: string, token: string): boolean {
     return false;
   }
 
-  const index = token.indexOf("-");
-
-  if (index === -1) {
+  // The token format is: {salt}-{hash}
+  // where salt is exactly saltLength characters
+  // We need to check if there's a dash at the expected position
+  if (token.length < saltLength + 1 || token[saltLength] !== "-") {
     return false;
   }
 
-  const salt = token.slice(0, index);
+  const salt = token.slice(0, saltLength);
   const expected = tokenize(secret, salt);
 
   // Constant-time comparison
@@ -207,6 +212,9 @@ export const csrf = (options: CsrfOptions = {}) => {
     },
   })
     .derive({ as: "scoped" }, ({ cookie }) => {
+      // Cache the secret within this request context to avoid race conditions
+      let cachedSecret: string | undefined;
+
       // Helper to set cookie attributes
       const setCookieAttributes = (cookieValue: any) => {
         if (cookieConfig?.path) cookieValue.path = cookieConfig.path;
@@ -222,6 +230,11 @@ export const csrf = (options: CsrfOptions = {}) => {
 
       // Helper to get or create secret from cookie
       const getOrCreateSecret = (): string => {
+        // Return cached secret if available
+        if (cachedSecret) {
+          return cachedSecret;
+        }
+
         if (!cookieConfig) {
           throw new Error("CSRF: Cookie storage must be enabled");
         }
@@ -239,6 +252,8 @@ export const csrf = (options: CsrfOptions = {}) => {
           setCookieAttributes(cookieObj);
         }
 
+        // Cache the secret for this request context
+        cachedSecret = secret;
         return secret;
       };
 
@@ -296,7 +311,7 @@ export const csrf = (options: CsrfOptions = {}) => {
         }
 
         // Verify token
-        if (!verifyToken(secret, tokenValue)) {
+        if (!verifyToken(secret, tokenValue, saltLength)) {
           return new Response("Invalid CSRF token", { status: 403 });
         }
       }