Create new token when token is invalid and `validateOnReuse` is true

[marvin-wtt]

With the current behavior, the user is stuck in an invalid state once the CSRF-Token is invalid and override is false.

My proposal is to not throw an exception and return a new, valid token instread.

https://github.com/Psifi-Solutions/csrf-csrf/blob/main/src/index.ts#L82

[psibean]

So there is a bug here, but I don't think it's quite what you have described. The original intention of validateOnReuse is/was to prevent the error from being thrown.

The implication here is that:

1. When reusing a token, it should always check if the token is valid, and either return the existing (if it is valid) or a new token. This way generateCsrfToken will always return a valid token.
2. If the token is invalid and validateOnReuse is true, then it will throw the error.

In the next major version, I intend to remove the validateOnReuse entirely, there's no real need for it. Every other CSRF implementation just silently ignores invalid tokens and generates a new one.

I'm working at this moment but I'll get a fix out for this and release in 4.0.3

[marvin-wtt]

Alright. Let me know if you'd prefer a PR.

Thanks a lot for your work

[psibean]

I said fuck it and decided to work it, hopefully #117 will do the trick here, it was a bit more cumbersome than I had expected it to be.

Looks like the logic here was a bit more broken than anticipated.

For the generateCsrfToken call, validation is now 100% derived from the cookie value, validateOnReuse is now strictly used to either throw or not throw, token is ALWAYS validated such that generateCsrfToken will always return a valid token, this is a separate code path to the actual CSRF validation of the middleware.

[psibean]

Fixed with release of 4.0.3 👍🏻

To avoid error being thrown, set validateOnReuse to false. The token will still be validated.