expressjs / csurf

CSRF token middleware

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

When session store is down, csurf should call next(err), not throw error

simoami opened this issue · comments

This is a deviation from recommended patterns for connect-based middleware. When a middleware encounters an unrecoverable error, it should call next(err).

This is not the case below (index.js). Also the error message is misleading in this case because the configuration is valid:

throw new Error('misconfigured csrf')

Also this does not filter page and xhr requests versus resources. The end result is that resources like styles and images cannot be served to build a friendly nice looking error page.