javascript - CSURF not working -
[development env] nodejs v4.2.4 + expressjs v4.13.1 + csurf v1.8.3
i installed csurf middleware seems not working. tried submitting form without csrf input field test works , there nothing err. inserted console.log codes router js file
console.log(res.locals._csrf);
and recieved 'undefined'.
i inserted input field verify value exist, html result had not csrftoken
<input name="_csrf" value="" type="hidden"> what can do? html source
<form class="form" method="post" action="/login" role="form"> <input type="hidden" name="_csrf" value="{{_csrf}}"> <div class="form-group label-floating"> <label class="control-label" for="focusedinput1">user name</label> <input class="form-control" name="username" id="focusedinput1" type="text"> </div> <div class="form-group"> <div class="form-group label-floating"> <label class="control-label" for="focusedinput2">password</label> <input class="form-control" name="user_pw" id="focusedinput2" type="password"> </div> </div> <div class="form-group"> <button type="submit" class="btn btn-primary" style="float:left">login</button> <button type="button" class="btn btn-default" style="float:right" data-dismiss="modal">cancel</button> </div> </form> and app.js
// module importing var express = require('express'), path = require('path'), favicon = require('serve-favicon'), logger = require('morgan'), cookieparser = require('cookie-parser'), bodyparser = require('body-parser'), exphbs = require('express-handlebars'), mongoose = require('mongoose'), csrf = require('csurf'); const session = require('express-session'); const mongostore = require('connect-mongo')(session); var routes = require('./routes/index'); var users = require('./routes/users'); var credentials = require('./credentials.js'); var app = express(); // mongoose setup mongoose.connect(credentials.mongoosersrc.collurl); // view engine setup app.set('views', path.join(__dirname, 'views')); app.engine('.hbs', exphbs({defaultlayout: 'single', extname: '.hbs'})); app.set('view engine', '.hbs'); // uncomment after placing favicon in /public //app.use(favicon(path.join(__dirname, 'public', 'favicon.ico'))); app.use(logger('dev')); app.use(bodyparser.json()); app.use(bodyparser.urlencoded({ extended: true })); app.use(cookieparser(credentials.cookiesecret)); app.use(session({ resave: false, saveuninitialized: false, secret: 'sfbsesc', store: new mongostore({ mongooseconnection: mongoose.connection }) })); app.use(express.static(path.join(__dirname, 'public'))); app.use('/', routes); app.use('/users', users); app.use(csrf()); app.use(function(req, res, next){ res.locals._csrf = req.csrftoken(); }); //skip
Comments
Post a Comment