Add utilities to prevent cookie tossing and replay attacks

[mcollina]

Checklist

• run npm run test and npm run benchmark
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

[zekth]

Note: on another PR we might need to adress the move from var to let/const

[jsumners]

Maybe in another PR, but wouldn't it be clearer to var tokenParts = token.split('-')?

[mcollina]

possibly, I would like to ship this and the linked change in fastify-csrf first.

[jsumners]

I think this if (typeof... become redundant by the Number.isInteger, don't you?

[mcollina]

I think the code is wrong right now. We are casting strings to zero instead of throwing. The code was correct as it was before.

[jsumners]

Please explain. Number.isInteger only returns true for integer primitives.

[mcollina]

As the code is right now, https://github.com/fastify/csrf/pull/2/files#diff-a561630bb56b82342bc66697aee2ad96efddcbc9d150665abd6fb7ecb7c0ab2fR56 is failing. If validity is a string, we cast it as 0.

[jsumners]

Ah, it's the word "cast" that is confusing me. No casting is taking place; if a string is supplied then it is ignored and the default value, 0, is used instead.

When I left my change suggestion I had not reached the if (typeof ... yet. I saw the possibility of a non-integer being supplied for the option and suggested an easy change to ignore such cases.

[jsumners]

LGTM