CODEWITHSUNDEEP
node.jsrestcsrf
balanza
balanza

Reputation: 1079

KrakenJS: perform POST request over a controller ends with error

I'm using KrakenJS to build a web app. Being it MVC, I'm implenting a REST service by a controller, here's a sample code:

//users can get data
app.get('myRoute', function (req, res) {
    readData();
});

//users can send data
app.post('myRoute', function (req, res) {
    writeData();
});

I can read data with no problems. But when I try dummy data insertion with POST requests, it ends up with this error:

Error:Forbidden 127.0.0.1 - - [Thu, 06 Feb 2014 00:11:30 GMT] "POST /myRoute HTTP/1.1" 500 374 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/32.0.1700.102 Chrome/32.0.1700.102 Safari/537.36"

How can I overcome this?

Upvotes: 1

Views: 2241

Answers (4)

Vontei
Vontei

Reputation: 1897

If you do not need csrf:

By placing this in middleware in your config.json and setting the values to false, you are disabling the use of the csrf middlware, and your app will function as expected. 

"middleware": {



  "appsec": {
    "priority": 110,
    "module": {
        "name": "lusca",
        "arguments": [
            {
                "csrf": false,
                "xframe": "SAMEORIGIN",
                "p3p": false,
                "csp": false
            }
        ]
    }
},

Upvotes: 0

rjnpnigrhi
rjnpnigrhi

Reputation: 79

I used a trick earlier in which you don't have to turn off csrf...

In your "index.dust" -> 

    <input id="csrfid" type="hidden" name="_csrf" value="{_csrf}">

In your "script.js" ->

    var csrf = document.getElementById('csrfid').value;

    $http({  method: 'POST',
        url: 'http://localhost:8000/myRoute/',
        data: { '_csrf': csrf, 'object': myObject }
      }).success(function(result) {
        //success handler
      }).error(function(result) {
        //error handler
      });

i was using angularjs btw

Upvotes: 1

Lenny Markus
Lenny Markus

Reputation: 3418

As Dan said you can turn csrf off, but you may also want to consider using it, for the added security it brings.

Check out the shopping cart example for more info: https://github.com/lmarkus/Kraken_Example_Shopping_Cart

Upvotes: 0

Dan
Dan

Reputation: 3459

One thing is to make sure you're sending the correct CSRF Headers (http://krakenjs.com/#Security). If I remember correctly, by default Kraken expects those headers to be specified.

You can disable CSRF too and see if that fixes your problem. Since Kraken uses the Lusca module for CSRF, you can get information on how to disable/configure from here: https://github.com/paypal/lusca

Upvotes: 1

Related Questions