• Blog
  • Documentation
  • Courses
  • Changelog
  • AI Starters
  • UI Kit
  • FAQ
  • Supamode
    New
  • Pricing

Launch your next SaaS in record time with Makerkit, a React SaaS Boilerplate for Next.js and Supabase.

Makerkit is a product of Makerkit Pte Ltd (registered in the Republic of Singapore)Company Registration No: 202407149CFor support or inquiries, please contact us

About
  • FAQ
  • Contact
  • Verify your Discord
  • Consultation
  • Open Source
  • Become an Affiliate
Product
  • Documentation
  • Blog
  • Changelog
  • UI Blocks
  • Figma UI Kit
  • AI SaaS Starters
License
  • Activate License
  • Upgrade License
  • Invite Member
Legal
  • Terms of License
    • Adding API Routes
    • Change Authentication strategy
    • Fetching the signed in User
    • Reading a Document
    • Creating a Document
    • Configuring Plans
    • Project Configuration
    • Updating the Navigation menu
    • Adding a new translation string
    • Guarding an API Route
    • Adding Pages
    • Updating the Sidebar menu
    • Require Email Verification
    • Fetching the selected Organization
    • Reading a list of Documents
    • Updating a Document
    • Running the Stripe Webhook locally
    • Branding
    • Setting a Default Language
    • Dark Theme
    • Theming
    • Calling API Routes from the client
    • Deleting a Document
    • Updating the Logo
    • Adding a new language in the Next.js Firebase SaaS Kit
    • Checking CSRF Tokens
    • Passing data from server to client
    • Updating the Fonts
    • Adding Pages
    • Guarding Pages
    • Using Lemon Squeezy instead of Stripe
    • Updating the Favicons
    • Using the Language Switcher
    • Environment variables
    • Detect current Locale
    • Setting up Emails

Checking CSRF Tokens

How to check CSRF tokens in your Next.js Firebase API routes using the "withCsrf" HOC.

You can use the withCsrf HOC to ensure only users with a valid CSRF token can access your API routes.

The CSRF token must be sent in the x-csrf-token header of the request. If the token is not present, or if it's invalid, the request will be rejected.

pages/api/hello.ts
import { NextApiRequest, NextApiResponse } from "next";
import { withAuthedUser } from '~/core/middleware/with-authed-user';
import { withMethodsGuard } from '~/core/middleware/with-methods-guard';
import { withPipe } from '~/core/middleware/with-pipe';
import withCsrf from "./with-csrf";
function helloWorldHandler(
 req: NextApiRequest,
 res: NextApiResponse
) {
 res.status(200).json({ text: 'Hello' })
}
export default withPipe(
 withAuthedUser,
 withMethodsGuard(['POST']),
 withCsrf(),
 helloWorldHandler,
);

If you pass the CSRF token in different ways, you can pass a function to the withCsrf HOC to retrieve the token from the request.

pages/api/hello.ts
import { NextApiRequest, NextApiResponse } from "next";
import { withAuthedUser } from '~/core/middleware/with-authed-user';
import { withMethodsGuard } from '~/core/middleware/with-methods-guard';
import { withPipe } from '~/core/middleware/with-pipe';
import withCsrf from "./with-csrf";
async function helloWorldHandler(
 req: NextApiRequest,
 res: NextApiResponse
) {
 await withCsrf(req, () => req.body.csrfToken);
 res.status(200).json({ text: 'Hello' })
}
export default withPipe(
 withAuthedUser,
 withMethodsGuard(['POST']),
 helloWorldHandler,
);