CODEWITHSUNDEEP
sails.js
Andre Frexio
Andre Frexio

Reputation: 155

SailsJS CSRF mismatch error customize

I need to customise the error that shows up when someone did not send the CSRF code with the POST request.

So that no one will know what happened with the error and they will not even try to hack in to the CSRF mechanism.

Hope this is clear

Upvotes: 1

Views: 1115

Answers (1)

Konstantin Zolotarev
Konstantin Zolotarev

Reputation: 622

For now Sails.js CSRF hook uses res.forbidden() function to handle wrong CSRF token. It uses it with this message:

return res.forbidden("CSRF mismatch");

So you could rewrite this response by placing a new file with name forbidden.js into /api/responses Actually you cound copy this one: https://github.com/balderdashy/sails/blob/master/lib/hooks/responses/defaults/forbidden.js

And add condition to check data before production mode check: 

...
else sails.log.verbose('Sending 403 ("Forbidden") response');

if (data == 'CSRF mismatch') {
    //Return another response for example:
    return res.jsonx(500, {/* data here */});
}
// Only include errors in response if application environment
// is not set to 'production'.  In production, we shouldn't
// send back any identifying information about errors.
if (sails.config.environment === 'production') {
...

Anyway as long as you will use development mode for sails. You will see all errors when getting 500 or any other error from sails. But in production mode all error messages will be hidden. And your users wouldn't get any error details. Except of error code.

So in production mode without any changes you will get only HTTP 403 code.

Upvotes: 2

Related Questions