Sailsjs + vuejs + axios + CSRF tokens

Question

i some thing not understand. Always get an error 403. I have a code in frontend(vue.js), here I get a token _csrf from Sails.js, its ok.

axios.get('http://localhost:1337/csrfToken')
        .then(response => {

            this.$store.commit('csrf_update', response.data._csrf);
            console.log("_csrf===",response.data._csrf);
            axios.defaults.headers.post['X-CSRF-Token'] = response.data._csrf;
        })

And i have a backend sails.js, settings in security.js

cors: {
 allRoutes: true,
 allowOrigins: 'http://localhost:8080',
 allowCredentials: false,
 allowRequestMethods:'GET, POST',
 allowRequestHeaders:'content-type, X-CSRF-Token'}, csrf: true

i have a token like that _csrf: lM8avM1X-KvKz9v2zLnbQZFf8lKOThX9Llb4 And i have error 403 when request.

axios.post('http://localhost:1337/login', form)
    .then(response => {
        this.$router.push('/kabinet');
    }).catch(error => { console.log(error); });

list 403

thats my Headers

headers

what's wrong?

Answer 1

In the headers of the axios request add:

"x-csrf-token": window.SAILS_LOCALS._csrf

Answer 2

So, everything was very simple. In the (sails.js) file security.js to change allowCredentials: false on allowCredentials: true, and in frontend (vue.js) change axion, add parameter withCredentials: true like this

axios.get('http://localhost:1337/csrfToken',{ 
withCredentials: true
}).then(response => {
            console.log("_csrf===",response.data._csrf);
            axios.defaults.headers.post['X-CSRF-Token'] = response.data._csrf;
})

and in all axios requests must be withCredentials: true

Answer 3

Sails has a property called csrf in the config>security file. If you set it on true you can simply add

<input type="hidden" name="_csrf" value="<%= _csrf %> />

to your form or at the place where you need it.

I am on sails 1.0.2 and it works quiet good.