stackoom
  简体   繁体   中英

CSRF protection for Node.js Express 4 and passport.js not working

 原文  2019-02-03 19:12:36       node.js/ passport.js/ csrf/ express-4

Question

Using csurf, I am trying to integrate csrf protection into my node.js express 4 application. This is my code:

EDIT: The code below was updated according to the solution I found. 

    "use strict";
    var http = require('http');
    var https = require('https');

    var port = process.env.PORT || 80,
     express = require('express'),
     csrf = require('csurf'),
     bodyParser = require('body-parser');

    var LocalStrategy = require('passport-local').Strategy,
        csrfProtection = csrf({ cookie: true }),
        mongoose = require('mongoose'),
        conn = mongoose.createConnection('foo'),
        cookieParser = require('cookie-parser'),
        passport = require('passport'),
            session = require('express-session'),
            MongoStore = require('connect-mongo')(session),
            app = express();

        app.set('view engine', 'ejs');
        var csrfProtection = csrf({ cookie: true }); // doesn't work either
        require('passport')(passport); 
        app.use(cookieParser("foo")); 
        app.use(bodyParser.json());
        app.use(bodyParser.urlencoded({extended: true})); //extended: true|false does not make any difference

        app.use(session({
            //foo
        }));

        app.use(passport.initialize());
        app.use(passport.session()); 

        require('./app/routes.js')(app, passport); //routes inside here cause a ReferenceError: csrfProtection is not defined  

        http.createServer(app).listen(port);
        https.createServer(options, app).listen(443, function () {
            //foo
        });

-- routes.js --

        var csrf = require('csurf'), //this needs to go in here
            csrfProtection = csrf(); //this needs to go in here

    module.exports = function(app, passport) {
       app.route('/somepage')
       .get(csrfProtection, function(req, res) { 
          res.render('somepage', { csrfToken: req.csrfToken()});
       });
    };

-- routes.js end--

For some strange reason csrfProtection remains unknown inside my page routes causing a ReferenceError (see comment inside code). What am I missing?

1 answers

solution1
 0  2019-02-04 16:12:23

EDIT: ignoreMethods An array of the methods for which CSRF token checking will disabled. Defaults to ['GET', 'HEAD', 'OPTIONS'].
Try and set it to ['HEAD','OPTIONS'] 

csrfProtection = csrf(
    { cookie: true, ignoreMethods:['HEAD','OPTIONS' ] }
)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question res.redirect not working after Node.js Express & Passport.js authentication Node.js theory - Node.js, Express.js, Passport.js Passport.js authentication with node.js Trying to view all logged in Users in Express.js Node.js Passport.js Node.js + express.js + passport.js : stay authenticated between server restart Make a secure oauth API with passport.js and express.js (node.js) Node.js + Express.js + Passport.js - i need some advice how to structure them Nginx + Node.js + express.js + passport.js: Subdommain stay authenticated Node.js passing parameters to my require function in express.js/passport.js? understanding why? Node.js/Express/Jade + Passport.js failureRedirect incorrectly rendering page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM