Kraken.js CSRF处理

Question

i have a problem with krakenjs, i'm a node/express newbie.

krakenjs is set to default csrf protection (i know how to disable, but i dont want to), but i dont know how to handle csrf and avoiding 403 error.

in ejs file i got this line.

<input type="hidden" name="_crsf" value="<%= _csrf %>" />

it generates proper csrf, there is no problem in there.

and here is my route

server.post('/isengard/fact/new', function(req,res){
    var new_fact = Fact({
        title : req.body.fact_title,
        description : req.body.fact_description,
        source : req.body.fact_source
    });
    new_fact.save(function(err){
        if(err) return handleError(err);
        var model = {status:true};
        res.render('isengard/create',model);
    });
});

but when i send form (POST), i'm getting this error.

403 Error: Forbidden
at Object.exports.error (/Users/onur/Documents/node/sage/node_modules/express/node_modules/connect/lib/utils.js:63:13)
at createToken (/Users/onur/Documents/node/sage/node_modules/express/node_modules/connect/lib/middleware/csrf.js:82:55)
at /Users/onur/Documents/node/sage/node_modules/express/node_modules/connect/lib/middleware/csrf.js:48:24
at csrf (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:112:13)
at /Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:60:21
at xframe (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:131:9)
at /Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:60:21
at p3p (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:144:9)
at /Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:60:21
at Object.appsec (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:65:9)

can anyone explain me how to handle csrf?

Answer 1

Actually, your problem is that you have:

<input type="hidden" name="_crsf" value="<%= _csrf %>" />

instead of:

<input type="hidden" name="_csrf" value="<%= _csrf %>" />

Note the typo in the name attribute.

Answer 2

The trick is that you need to wrap your POST test inside a GET and parse the necessary CSRF token from the cookie.

Here's an example: https://stackoverflow.com/a/18776974/1935918

Answer 3

csrf in kraken is pretty much entirely handled by the csrf connect middleware (with the one addition being exposing the token to your views as _csrf ).

A little more information would go a long way (req/res headers at the least but an HAR would be awesome) but I can see a few ways this might happen:

1. The csrf secret (not token, mind you) is being regenerated or removed some time between the initial GET and the POST . The only way this is possible is if the value stored as _csrfSecret in the session is changed or deleted between requests. Make sure your session is working properly.

2. One of the security headers is giving you grief. Try turning them off temporarily with something like the following in your middleware-development.json :

    { "middleware": { "appsec": { "csp": false, "xframe": false, "p3p": false } } } 

Answer 4

Unless you need csrf protection, put this in your config.json to disable it altogether. Then your app runs as it otherwise would.

"middleware": {        
      "appsec": {
        "priority": 110,
        "module": {
            "name": "lusca",
            "arguments": [
                {
                    "csrf": false,
                    "xframe": "SAMEORIGIN",
                    "p3p": false,
                    "csp": false
                }
            ]
        }
    },
}