A way of getting csrfToken through POST request

Question

A way of getting csrfToken through POST request

Bogdan-Kalynovskyi opened this issue 7 years ago · comments

Bohdan Kalynovskyi (Dan) commented 7 years ago

Here's the example from official docs, except one difference: xsrfToken is sent in response to POST request, not GET:


var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')

var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })

var app = express()
app.use(cookieParser())

app.post('/authenticate', /*csrfProtection,*/ function (req, res) {
    // check credentials from request.body
    // and then 

    res.send({ csrfToken: req.csrfToken() })  //EXCEPTION: csrfToken is not a function 
})

app.post('/process', parseForm, csrfProtection, function (req, res) {
    res.send('data is being processed')
})

I'm facing the egg-hen problem: if I enable csrfProtection, I cannot access the endpoint without the token, but if I disable it, req.csrfToken becomes undefined.

I need the /authenticate endpoint to be POST, because I don't want to expose password as url parameter.

Douglas Wilson · Answer 1 · Mon Nov 27 2017 08:50:39 GMT+0800 (China Standard Time)

app.post('/authenticate', csrf({ cookie: true, ignoreMethods: ['POST'] }), function (req, res) {

Douglas Wilson · Answer 2 · Mon Nov 27 2017 08:52:44 GMT+0800 (China Standard Time)

The middleware instance you mount on your POST route should just have POST included in your ignoreMethods option.

Naufal Khalid · Answer 3 · Wed May 06 2020 19:57:08 GMT+0800 (China Standard Time)

It still does not validate the token in the subsequent request since the function returns a different value