使用 expressjs csurf 中间件示例的无效令牌

Question

我尝试使用https://github.com/expressjs/csurf 中的 expressjs csurf 示例当使用自述文件中的第一个示例（使用 Ejs 模板语言）时，令牌验证工作正常。当我尝试使用“忽略路由”示例时，在“GET /form”到“POST /process”执行（就像我在第一个示例中所做的那样）时，我在“POST /process”上得到“无效令牌”。令牌被传递到 GET 上的表单。有什么想法吗？

'app.use(csrfProtection)' 不起作用吗？ （在非工作示例中使用，如果我删除'use（csrfP ..'并使用工作示例中的方法来使用csrf模块IE，将'csrfProtection'传递给'get'和'post'方法，第二个例子有效）

作品：

var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')

// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })

// create express app
var app = express()

app.set('view engine', 'ejs')

// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser())

app.get('/form', csrfProtection, function(req, res) {
  // pass the csrfToken to the view
  var tkn = req.csrfToken()
  console.log(tkn)
  res.render('index', { csrfToken: tkn })
})

app.post('/process', parseForm, csrfProtection, function(req, res) {
  res.send('data is being processed')
})

var server = app.listen(8081, function () {

  var host = server.address().address
  var port = server.address().port

  console.log("Example app listening at http://%s:%s", host, port)

})

html/ejs：

<!DOCTYPE html>  
<html lang="en">  
  <head>
  </head>
  <body>
    <form action="/process" method="POST">
        <input type="hidden" name="_csrf" value="<%= csrfToken %>">
        Favorite color: <input type="text" name="favoriteColor">
        <button type="submit">Submit</button>
    </form>
  </body>
</html>  

不起作用：

var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')

// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })

// create express app
var app = express()

app.set('view engine', 'ejs')

// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser())

// create api router
var api = createApiRouter()

// mount api before csrf is appended to the app stack
app.use('/api', api)

// now add csrf, after the "/api" was mounted
app.use(csrfProtection)

app.get('/form', function(req, res) {
  // pass the csrfToken to the view
  var tkn = req.csrfToken()
  console.log(tkn)
  res.render('index', { csrfToken: tkn })
})

app.post('/process', parseForm, function(req, res) {
  res.send('csrf was required to get here')
})

function createApiRouter() {
  var router = new express.Router()

  router.post('/getProfile', function(req, res) {
    res.send('no csrf to get here')
  })

  return router
}

var server = app.listen(8081, function () {

  var host = server.address().address
  var port = server.address().port

  console.log("Example app2 listening at http://%s:%s", host, port)

})

Answer 1

在第二个示例中，您没有将 csrfProtection 中间件传递给 POST 处理链。应该是

app.post('/process', parseForm, csrfProtection, function(req, res) {
  res.send('csrf was required to get here')
})