Reputation: 1018
Kraken.js CSRF Handling
i have a problem with krakenjs, i'm a node/express newbie.
krakenjs is set to default csrf protection (i know how to disable, but i dont want to), but i dont know how to handle csrf and avoiding 403 error.
in ejs file i got this line.
<input type="hidden" name="_crsf" value="<%= _csrf %>" />
it generates proper csrf, there is no problem in there.
and here is my route
server.post('/isengard/fact/new', function(req,res){
var new_fact = Fact({
title : req.body.fact_title,
description : req.body.fact_description,
source : req.body.fact_source
});
new_fact.save(function(err){
if(err) return handleError(err);
var model = {status:true};
res.render('isengard/create',model);
});
});
but when i send form (POST), i'm getting this error.
403 Error: Forbidden
at Object.exports.error (/Users/onur/Documents/node/sage/node_modules/express/node_modules/connect/lib/utils.js:63:13)
at createToken (/Users/onur/Documents/node/sage/node_modules/express/node_modules/connect/lib/middleware/csrf.js:82:55)
at /Users/onur/Documents/node/sage/node_modules/express/node_modules/connect/lib/middleware/csrf.js:48:24
at csrf (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:112:13)
at /Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:60:21
at xframe (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:131:9)
at /Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:60:21
at p3p (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:144:9)
at /Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:60:21
at Object.appsec (/Users/onur/Documents/node/sage/node_modules/kraken-js/node_modules/lusca/index.js:65:9)
can anyone explain me how to handle csrf?
Upvotes: 7
Views: 5415
Answers (4)
Reputation: 1897
Unless you need csrf protection, put this in your config.json to disable it altogether. Then your app runs as it otherwise would.
"middleware": {
"appsec": {
"priority": 110,
"module": {
"name": "lusca",
"arguments": [
{
"csrf": false,
"xframe": "SAMEORIGIN",
"p3p": false,
"csp": false
}
]
}
},
}
Upvotes: 1
Reputation: 431
Actually, your problem is that you have:
<input type="hidden" name="_crsf" value="<%= _csrf %>" />
instead of:
<input type="hidden" name="_csrf" value="<%= _csrf %>" />
Note the typo in the name attribute.
Upvotes: 4
Reputation: 366
csrf in kraken is pretty much entirely handled by the csrf connect middleware (with the one addition being exposing the token to your views as _csrf).
A little more information would go a long way (req/res headers at the least but an HAR would be awesome) but I can see a few ways this might happen:
- The csrf secret (not token, mind you) is being regenerated or removed some time between the initial
GETand thePOST. The only way this is possible is if the value stored as_csrfSecretin the session is changed or deleted between requests. Make sure your session is working properly. One of the security headers is giving you grief. Try turning them off temporarily with something like the following in your
middleware-development.json:{ "middleware": { "appsec": { "csp": false, "xframe": false, "p3p": false } } }
Upvotes: 1
Reputation: 34337
The trick is that you need to wrap your POST test inside a GET and parse the necessary CSRF token from the cookie.
Here's an example: https://stackoverflow.com/a/18776974/1935918
Upvotes: 1
Related Questions
- Node - Express 4 csrf
- Preventing CSRF with an Express API and a React frontend
- CSRF implementation in a MERN stack
- CSRF token mismatch for ajax post using nodejs express
- KrakenJS controller routing
- CSRF problems with sailsjs
- csrf token using
- KrakenJS: perform POST request over a controller ends with error
- CSRF Protection in ExpressJS
- Express+node CSRF Forbidden