CODEWITHSUNDEEP
node.jspassport.jscsrfexpress-4
Igor P.
Igor P.

Reputation: 1477

CSRF protection for Node.js Express 4 and passport.js not working

Using csurf, I am trying to integrate csrf protection into my node.js express 4 application. This is my code:

EDIT: The code below was updated according to the solution I found.

    "use strict";
    var http = require('http');
    var https = require('https');

    var port = process.env.PORT || 80,
     express = require('express'),
     csrf = require('csurf'),
     bodyParser = require('body-parser');

    var LocalStrategy = require('passport-local').Strategy,
        csrfProtection = csrf({ cookie: true }),
        mongoose = require('mongoose'),
        conn = mongoose.createConnection('foo'),
        cookieParser = require('cookie-parser'),
        passport = require('passport'),
            session = require('express-session'),
            MongoStore = require('connect-mongo')(session),
            app = express();

        app.set('view engine', 'ejs');
        var csrfProtection = csrf({ cookie: true }); // doesn't work either
        require('passport')(passport); 
        app.use(cookieParser("foo")); 
        app.use(bodyParser.json());
        app.use(bodyParser.urlencoded({extended: true})); //extended: true|false does not make any difference

        app.use(session({
            //foo
        }));

        app.use(passport.initialize());
        app.use(passport.session()); 

        require('./app/routes.js')(app, passport); //routes inside here cause a ReferenceError: csrfProtection is not defined  

        http.createServer(app).listen(port);
        https.createServer(options, app).listen(443, function () {
            //foo
        });

-- routes.js --

        var csrf = require('csurf'), //this needs to go in here
            csrfProtection = csrf(); //this needs to go in here

    module.exports = function(app, passport) {
       app.route('/somepage')
       .get(csrfProtection, function(req, res) { 
          res.render('somepage', { csrfToken: req.csrfToken()});
       });
    };

-- routes.js end--

For some strange reason csrfProtection remains unknown inside my page routes causing a ReferenceError (see comment inside code). What am I missing?

Upvotes: 0

Views: 2308

Answers (1)

Barrard
Barrard

Reputation: 2043

EDIT: ignoreMethods An array of the methods for which CSRF token checking will disabled. Defaults to ['GET', 'HEAD', 'OPTIONS'].
Try and set it to ['HEAD','OPTIONS'] 

csrfProtection = csrf(
    { cookie: true, ignoreMethods:['HEAD','OPTIONS' ] }
)

Upvotes: 0

Related Questions