chore(release): 4.0.0

Author: psibean

CHANGELOG.md

@@ -1,6 +1,38 @@
 # Changelog
 
-All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
+
+## [4.0.0](https://github.com/Psifi-Solutions/csrf-csrf/compare/v3.0.7...v4.0.0) (2025-04-27)
+
+
+### ⚠ BREAKING CHANGES
+
+This list may not be an exhaustive list of breaking changes, for more information consult the [version 3 -> 4 upgrade guide](./UPGRADING.md#version-3---4) and the updated configuration documentation in the [README](./README.md).
+
+* Token generation now uses `createHmac`, the format has changed significantly, see the [CSRF token format](./UPGRADING.md#csrf-token-format-has-changed) section of the upgrade guide.
+* `getSessionIdentifier` is now required and must return a unique identifier per-request (and per-session) - this is an essential part of CSRF token security
+* `getTokenFromRequest` renamed to `getCsrfTokenFromRequest`
+* `generateToken` renamed to `generateCsrfToken`
+* `overwrite` and `validateOnReuse` parameters for `generateCsrfToken` have been merged into a single object parameter which also accepts `cookieOptions`: `generateCsrfToken(req, res, options);`
+* Default value for `validateOnReuse` is now `false`
+* Default value for `cookieOptions.sameSite` is now `strict`
+* `cookieOptions.signed` is no longer available, CSRF tokens are inherently signed, this is redundant
+* `delimiter` option removed, `csrfTokenDelimiter` and `messageDelimiter` are now used for the respective purpose
+* `signed` option in `cookieOptions` config option removed (redundant), csrf tokens generated by csrf-csrf are inherently signed 
+* `size` config option now sets the size of the message used to construct the hmac, now defaults to `32` instead of `64`, this is combined with the return value of `getSessionIdentifier` to construct the hmac payload
+* Type `CsrfTokenCookieOverrides` renamed to `CsrfTokenCookieOptions`
+* Type `CsrfTokenCreator` renamed to `CsrfTokenGenerator`
+* Type `doubleCsrfProtection` renamed to `DoubleCsrfProtection`
+* Type `RequestMethod` renamed to `CsrfRequestMethod`
+* Type `CsrfIgnoredMethods` renamed to `CsrfIgnoredRequestMethods`
+
+### Features
+
+* change default value of sameSite to 'strict' ([ba5973e](https://github.com/Psifi-Solutions/csrf-csrf/commit/ba5973e44ddf7fdf0baeff038855f7307a5a1cd9))
+* change validateOnReuse to false by default ([5fc62a9](https://github.com/Psifi-Solutions/csrf-csrf/commit/5fc62a98b797a7e1bc81a5d98a1c0509e1de4e76))
+* expose per token cookie settings ([#60](https://github.com/Psifi-Solutions/csrf-csrf/issues/60)) ([456b317](https://github.com/Psifi-Solutions/csrf-csrf/commit/456b3179eac02deeb90cd7112f7ddbd6377c9758))
+* **types:** add CsrfTokenGeneratorRequestUtil type ([72fd659](https://github.com/Psifi-Solutions/csrf-csrf/commit/72fd659f7e8ee9e82e820b1da9c393c4864dc43d))
+* use hmac to generate csrf tokens ([e4c5ec3](https://github.com/Psifi-Solutions/csrf-csrf/commit/e4c5ec3ec0dc801ef0fca2ef89e1e4ff79f85aad))
 
 ### [3.2.2](https://github.com/Psifi-Solutions/csrf-csrf/compare/v3.2.1...v3.2.2) (2025-04-24)
 

README.md

@@ -23,7 +23,7 @@
   <a href="#getting-started">Getting Started</a> •
   <a href="#configuration">Configuration</a> •
   <a href="#utilities">Utilities</a> •
-  <a href="FAQ.md">FAQ</a> •
+  <a href="./FAQ.md">FAQ</a> •
   <a href="#support">Support</a>
 </p>
 
@@ -44,10 +44,10 @@
 
 <h2 id="getting-started">Getting Started</h2>
 
-<p><b>This branch is currently for the unreleased version 4, to find the README for the latest released version please see the <a href="https://github.com/Psifi-Solutions/csrf-csrf/tree/v3.x.x">v3.x.x branch</a>.</b></p>
+<p><b>Version 4 is now live!</b> If you are upgrading from version 3 check the <a href="./CHANGELOG.md">changelog</a>, the <a href="./UPGRADING.md">upgrade guide</a>, and the updated configuration documentation below.</p>
 
 <p>
-  Before getting started with <code>csrf-csrf</code> you should consult the <a href="FAQ.md">FAQ</a> and determine whether you need CSRF protection and whether <code>csrf-csrf</code> is the right choice.
+  Before getting started with <code>csrf-csrf</code> you should consult the <a href="./FAQ.md">FAQ</a> and determine whether you need CSRF protection and whether <code>csrf-csrf</code> is the right choice.
 </p>
 <p>
   This section will guide you through using the default setup, which sufficiently implements the Double Submit Cookie Pattern. If you would like to customise the configuration, see the <a href="#configuration">configuration</a> section.

example/complete/package.json

@@ -12,7 +12,7 @@
   "license": "ISC",
   "dependencies": {
     "cookie-parser": "^1.4.6",
-    "csrf-csrf": "file:../../csrf-csrf-3.2.0.tgz",
+    "csrf-csrf": "4.0.0",
     "express": "^4.19.2",
     "express-session": "1.18.1"
   }

example/react/backend/package.json

@@ -24,7 +24,7 @@
     "connect-redis": "8.0.3",
     "cookie-parser": "1.4.7",
     "cors": "2.8.5",
-    "csrf-csrf": "file:./csrf-csrf-3.2.2.tgz",
+    "csrf-csrf": "4.0.0",
     "ejs": "3.1.10",
     "express": "5.1.0",
     "express-session": "1.18.1",

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "csrf-csrf",
-  "version": "3.2.2",
+  "version": "4.0.0",
   "description": "A utility package to help implement stateless CSRF protection using the Double Submit Cookie Pattern in express.",
   "type": "module",
   "main": "./dist/index.cjs",