ammended w Simon feedback 🙏

Author: brianleroux

src/http/csrf/create.js

@@ -1,9 +1,10 @@
-let crypto = require('node:crypto')
+const crypto = require('node:crypto')
+const fiveMinutes = 300000
 
 /** creates a signed token [rando].[timestamp].[sig] */
-module.exports = function create (data) {
+module.exports = function create (data, ts) {
   data = data || Buffer.from(crypto.randomUUID().replace(/-/g, ''))
-  const secret = 'changeme' || process.env.ARC_APP_SECRET
-  const ts = Date.now()
+  ts = ts || Date.now() + fiveMinutes
+  const secret = process.env.ARC_APP_SECRET || process.env.ARC_APP_NAME || 'fallback'
   return `${data}.${ts}.${crypto.createHmac('sha256', secret).update(data).digest('hex').toString()}`
 }

src/http/csrf/verify.js

@@ -3,10 +3,8 @@ let create = require('./create')
 /** ensures payload is valid token that hasn't expired */
 module.exports = function verify (payload) {
   const [ data, ts, sig ] = payload.split('.')
-  const elapsed = Date.now() - ts
-  const fiveMinutes = 300000
-  if (elapsed > fiveMinutes) return false
-  const gen = create(data)
+  if (Date.now() > ts) return false
+  const gen = create(data, ts)
   const sig2 = gen.split('.').pop()
   return sig2 === sig
 }