快速CSRF令牌验证 [英] Express CSRF token validation
问题描述
XSRF-TOKEN
,但我认为我生成两个不同的令牌,我有点困惑。还有一个名为 _csrf
的令牌,所以我在开发工具(XSRF-TOKEN和_csrf)中看到两个不同的cookie, _csrf
在发布后不会更改。 我想做的是为每个帖子请求生成一个新的标记,并检查它是否有效。有一件事我知道我应该为了安全而做,但是我坚持下来。
这是一个漫长的一天,我刚刚进入Express和NodeJS。 >
这是我当前的设置。
var express = require('express')
,passport = require('护照')
,flash = require('connect-flash')
,utils = require('./ utils')
,csrf = require('csurf')
// setup route middlewares
,csrfProtection = csrf({cookie:true})
,methodOverride = require('method-override')
, bodyParser = require(body-parser)
,parseForm = bodyParser.urlencoded({extended:false})
,cookieParser = require('cookie-parser')
,cookieSession = require ('cookie-session')
,LocalStrategy = require('passport-local')。策略
,RememberMeStrategy = require('../ ..')。
var app = express();
app.set('views',__dirname +'/ views');
app.set('view engine','ejs');
app.engine('ejs',require('ejs-locals'));
app.use(express.logger());
app.use(express.static(__ dirname +'/../../public'));
app.use(cookieParser());
app.use(bodyParser.urlencoded({extended:false}));
app.use(bodyParser.json());
app.use(methodOverride());
app.use(express.session({secret:'keyboard cat'}));
app.use(flash());
//初始化护照!还使用passport.session()中间件,支持
//持久登录会话(推荐)。
app.use(passport.initialize());
app.use(passport.session());
app.use(passport.authenticate('remember-me'));
app.use(app.router);
app.use(csrf());
app.use(function(req,res,next){
res.cookie('XSRF-TOKEN',req.csrfToken());
res.locals。 csrftoken = req.csrfToken();
next();
});
路线
app.get('/ form',csrfProtection,function(req,res){
//将csrfToken传递给视图
res.render('send',{csrfToken:req .csrfToken()});
});
app.post('/ process',parseForm,csrfProtection,function(req,res){
res.send('data being being processed');
}) ;
send.ejs(/ form GET)
< form action =/ processmethod =POST>
< input type =hiddenname =_ csrfvalue =<%= csrfToken%>>
最喜欢的颜色:< input type =textname =favoriteColor>
< button type =submit> Submit< / button>
< / form>
根据你分享的代码量,事情看起来不正确:
1。您可能需要交换这些行,以便csrf在路由之前运行。
app.use(app.router);
app.use(csrf());
2。这些线需要放在路线之前。
app.use(csrf());
app.use(function(req,res,next){
res.cookie('XSRF-TOKEN',req.csrfToken());
res.locals.csrftoken = req。 csrfToken();
next();
});
app.use(app.router);
3。在您的表单中使用 locals.csrftoken
< form action = / processmethod =POST>
< input type =hiddenname =_ csrfvalue =<%= csrftoken%>>
最喜欢的颜色:< input type =textname =favoriteColor>
< button type =submit> Submit< / button>
< / form>
I'm having issues with CSRF tokens. When I submit a form, a new XSRF-TOKEN
is being generated but I think I'm generating two different tokens, I'm kinda confused. There's also a token called _csrf
, so I see two different cookies in developer tools (XSRF-TOKEN and _csrf), _csrf
doesn't change after a post.
What I want to do is to generate a new token for each post request and check whether it's valid or not. One thing I know that I should do it for security, but I stuck.
It has been a long day and I'm new into Express and NodeJS.
Here's my current setup.
var express = require('express')
, passport = require('passport')
, flash = require('connect-flash')
, utils = require('./utils')
, csrf = require('csurf')
// setup route middlewares
,csrfProtection = csrf({ cookie: true })
, methodOverride = require('method-override')
, bodyParser = require("body-parser")
, parseForm = bodyParser.urlencoded({ extended: false })
, cookieParser = require('cookie-parser')
, cookieSession = require('cookie-session')
, LocalStrategy = require('passport-local').Strategy
, RememberMeStrategy = require('../..').Strategy;
var app = express();
app.set('views', __dirname + '/views');
app.set('view engine', 'ejs');
app.engine('ejs', require('ejs-locals'));
app.use(express.logger());
app.use(express.static(__dirname + '/../../public'));
app.use(cookieParser());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.use(methodOverride());
app.use(express.session({ secret: 'keyboard cat' }));
app.use(flash());
// Initialize Passport! Also use passport.session() middleware, to support
// persistent login sessions (recommended).
app.use(passport.initialize());
app.use(passport.session());
app.use(passport.authenticate('remember-me'));
app.use(app.router);
app.use(csrf());
app.use(function (req, res, next) {
res.cookie('XSRF-TOKEN', req.csrfToken());
res.locals.csrftoken = req.csrfToken();
next();
});
Routes
app.get('/form', csrfProtection, function(req, res) {
// pass the csrfToken to the view
res.render('send', { csrfToken: req.csrfToken()});
});
app.post('/process', parseForm, csrfProtection, function(req, res) {
res.send('data is being processed');
});
send.ejs (/form GET)
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
Favorite color: <input type="text" name="favoriteColor">
<button type="submit">Submit</button>
</form>
Based on the amount of code you shared, a few things don't look correct:
1 . You may need to swap these lines so that csrf runs before the routes.
app.use(app.router);
app.use(csrf());
2 . These lines need to be placed before the routes.
app.use(csrf());
app.use(function (req, res, next) {
res.cookie('XSRF-TOKEN', req.csrfToken());
res.locals.csrftoken = req.csrfToken();
next();
});
app.use(app.router);
3 . Use locals.csrftoken
in your form
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="<%= csrftoken %>">
Favorite color: <input type="text" name="favoriteColor">
<button type="submit">Submit</button>
</form>
这篇关于快速CSRF令牌验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!