When session store is down, csurf should call next(err), not throw error
simoami opened this issue · comments
Simo Moujami commented
This is a deviation from recommended patterns for connect-based middleware. When a middleware encounters an unrecoverable error, it should call next(err)
.
This is not the case below (index.js). Also the error message is misleading in this case because the configuration is valid:
throw new Error('misconfigured csrf')
Also this does not filter page and xhr requests versus resources. The end result is that resources like styles and images cannot be served to build a friendly nice looking error page.