節點js csurf令牌始終無效
[英]Node js csurf token always invalid
問題描述
我在Node.js Exspress應用程序上安裝了csurf包。 令牌正確地顯示(似乎), name="_csrf" ,值等於某個哈希值,使用req.csrfToken()設置。 但我總是得到一個錯誤,說令牌無效。 這是我的一些代碼:
var express = require('express')
var app = express()
var nunjucks = require('nunjucks')
var bodyParser = require('body-parser')
var session = require('express-session')
var service = require('./service')
var csrf = require('csurf')
app.set('view engine', 'html')
nunjucks.configure('views', {
autoescape: true,
express: app
})
app.set('trust proxy', 1)
app.use(session({
secret: 'Blue Dragon',
resave: false,
saveUninitialized: true
}))
app.use(csrf({ cookie: false }))
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
res.status(403)
res.send('session has expired or form tampered with')
})
和:
var express = require('express')
var app = module.exports = express()
var nunjucks = require('nunjucks')
var service = require('../../service')
var csrf = require('csurf')
var bodyParser = require('body-parser')
nunjucks.configure('views', {
autoescape: true,
express: app
})
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
app.get('/getnoun/:id', function (req, res) {
req.models.noun.find({ id: req.params.id }, function (err, noun) {
if (err) {
throw err
service.log('Critical', err.message)
}
res.render('noun', { nouns: noun })
})
})
app.get('/addnoun', function (req, res) {
res.render('addnoun', { csrfToken: req.csrfToken() })
})
//app.post('/savenoun', function (req, res) { // gives same problem both ways
app.post('/savenoun', parseForm, csrfProtection, function (req, res) {
var noun = new req.models.noun({
lemma : req.body.lemma,
gloss : req.body.gloss,
sentence : req.body.sentence,
gender : req.body.gender,
roman : req.body.roman,
img : req.body.img,
level : req.body.level
})
noun.save(function (err) {
if (err) {
throw err
service.log('Critical', err.message)
}
})
res.render('home')
})
在html :(我查看源以確保將值放入隱藏的輸入中)
<form action="/savenoun" method="post">
<input type="text" name="lemma" placeholder="lemma"><br>
<input type="text" name="gloss" placeholder="gloss"><br>
<input type="text" name="roman" placeholder="roman"><br>
<input type="text" name="sentence" placeholder="sentence"><br>
<input type="text" name="gender" placeholder="gender"><br>
<input type="text" name="img" placeholder="image"><br>
<input type="text" name="level" placeholder="level"><br>
<input type="hidden" name="_csrf" value="{{ csrfToken }}">
<button type="submit" class="btn btn-skyblue">Save</button>
</form>
為什么csrf令牌沒有得到驗證?
1 個解決方案
解決方案1
0 2019-08-20 09:32:00
使用csurf npm包中的以下代碼。
var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')
// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
// create express app
var app = express()
// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser())
app.get('/', function(req, res) {
res.send('Hello World !!! ')
});
app.get('/form', csrfProtection, function (req, res) {
// pass the csrfToken to the view
res.send({ csrfToken: req.csrfToken() })
})
app.post('/process', parseForm, csrfProtection, function (req, res) {
res.send('data is being processed')
})
// error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
res.send('form tampered with')
})
var port = 3000;
app.listen(port);
console.log('Server is listening at: ', port);
樣品申請
var request = require("request");
var options = { method: 'GET',
url: 'http://localhost:3000/form',
headers:
{ 'cache-control': 'no-cache',
Connection: 'keep-alive',
'accept-encoding': 'gzip, deflate',
cookie: '_csrf=uQmzsYUSlBObB62SJIC_z7tt',
Host: 'localhost:3000',
'Postman-Token': 'b25b248a-319c-4429-be73-b8f0d1d08efc,3768fe7b-4d1f-4486-a40d-107609f97258',
'Cache-Control': 'no-cache',
Accept: '*/*',
'User-Agent': 'PostmanRuntime/7.13.0' } };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});
和
var request = require("request");
var options = { method: 'POST',
url: 'http://localhost:3000/process',
headers:
{ 'cache-control': 'no-cache',
Connection: 'keep-alive',
'content-length': '',
'accept-encoding': 'gzip, deflate',
cookie: '_csrf=uQmzsYUSlBObB62SJIC_z7tt',
Host: 'localhost:3000',
'Postman-Token': '2c3d2ee3-8678-4cef-a926-48866083112f,016ab945-a9fb-4fa9-95a7-e62f934414bb',
'Cache-Control': 'no-cache',
Accept: '*/*',
'User-Agent': 'PostmanRuntime/7.13.0',
'CSRF-Token': '0zMVtG9B-OEI4ZD_9meo9EiWpPkOfngwRWkU' } };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});
Node.js - Express.js JWT始終在瀏覽器響應中返回無效的令牌錯誤
[英]Node.js - Express.js JWT always returns an invalid token error in browser response
無法擺脫ForbiddenError:使用Csurf快遞時無效的CSRF令牌
[英]Impossible to get rid of ForbiddenError: invalid csrf token on express with csurf
使用 node.js 運行腳本時出現“語法錯誤:無效或意外的標記”
[英]"Syntax error: Invalid or unexpected token" running a script with node.js
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Node.js - csurf 無效的 csrf 令牌
node.js csurf無效的csrf令牌
Node Express和csurf-403(禁止)無效的csrf令牌
如何在 node js 上實現 csurf 和 react js?
Node.js - Express.js JWT始終在瀏覽器響應中返回無效的令牌錯誤
無法擺脫ForbiddenError:使用Csurf快遞時無效的CSRF令牌
csurf節點:csrf令牌已使用多次,沒有錯誤
node.js SyntaxError:無效或意外令牌
Express 和 React,發送 CSURF 令牌
使用 node.js 運行腳本時出現“語法錯誤:無效或意外的標記”
相關標簽