feat: CSRF cookies allow the use of signatures

app/extend/context.js

@@ -82,15 +82,15 @@ module.exports = {
    */
   get [CSRF_SECRET]() {
     if (this[_CSRF_SECRET]) return this[_CSRF_SECRET];
-    let { useSession, cookieName, sessionName } = this.app.config.security.csrf;
+    let { useSession, cookieName, sessionName, cookieOptions = {} } = this.app.config.security.csrf;
     // get secret from session or cookie
     if (useSession) {
       this[_CSRF_SECRET] = this.session[sessionName] || '';
     } else {
       // cookieName support array. so we can change csrf cookie name smoothly
       if (!Array.isArray(cookieName)) cookieName = [ cookieName ];
       for (const name of cookieName) {
-        this[_CSRF_SECRET] = this.cookies.get(name, { signed: false }) || '';
+        this[_CSRF_SECRET] = this.cookies.get(name, { signed: cookieOptions.signed || false }) || '';
         if (this[_CSRF_SECRET]) break;
       }
     }

config/config.default.js

@@ -50,6 +50,10 @@ module.exports = () => {
       refererWhiteList: [
         // 'eggjs.org'
       ],
+      // csrf token's cookie options
+      cookieOptions: {
+        signed: false,
+      },
     },
 
     xframe: {

test/csrf_cookieDomain.test.js

@@ -64,4 +64,24 @@ describe('test/csrf_cookieDomain.test.js', () => {
         .expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/; httponly/);
     });
   });
+
+  describe('cookieOptions use signed', () => {
+    let app;
+    before(() => {
+      app = mm.app({
+        baseDir: 'apps/csrf-cookieOptions-signed',
+      });
+      return app.ready();
+    });
+    after(() => app.close());
+
+    it('should auto set csrfToken and csrfToken.sig with cookie options on GET request', () => {
+      return app.httpRequest()
+        .get('/hello')
+        .set('Host', 'abc.aaaa.ddd.string.com')
+        .expect('hello csrfToken cookieOptions signed')
+        .expect(200)
+        .expect('Set-Cookie', /csrfToken=[\w\-]+; path=\/,csrfToken\.sig=[\w\-]+; path=\//);
+    });
+  });
 });

test/fixtures/apps/csrf-cookieOptions-signed/app/controller/home.js

@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = app => {
+  return class Home extends app.Controller {
+    * index() {
+      this.ctx.body = 'hello csrfToken cookieOptions signed';
+    }
+  };
+};

test/fixtures/apps/csrf-cookieOptions-signed/app/router.js

@@ -0,0 +1,5 @@
+'use strict';
+
+module.exports = app => {
+  app.get('/hello', 'home.index');
+};

test/fixtures/apps/csrf-cookieOptions-signed/config/config.default.js

@@ -0,0 +1,11 @@
+'use strict';
+
+exports.keys = 'cookie options';
+
+exports.security = {
+  csrf: {
+    cookieOptions: {
+      signed: true
+    },
+  },
+};

test/fixtures/apps/csrf-cookieOptions-signed/package.json

@@ -0,0 +1,3 @@
+{
+  "name": "csrf-cookieOptions-signed"
+}