hackathon-starter using Lusca - where is csrf value being calculated/stored?

Question

I'm very new to Node so please forgive me if this is a noob question. I'm trying to use convert this project on github over to use ejs views , but struggling to understand how they're creating the csrf token.

Seed project I'm using - https://github.com/sahat/hackathon-starter

Uses lusca for csrf generation https://github.com/krakenjs/lusca

The code I'm seeing in their seed proejct (at least what I think is relevant)

var csrf = require('lusca').csrf();

/**
 * CSRF whitelist.
 */

//app.js
var csrfExclude = ['/url1', '/url2'];

//original project uses jade
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade');   //i'm going to change this to ejs, but don't know where to get the csrf value(below) from

app.use(function(req, res, next) {
  // CSRF protection.
  if (_.contains(csrfExclude, req.path)) return next();
  csrf(req, res, next);
});
app.use(function(req, res, next) {
  // Make user object available in templates.
  res.locals.user = req.user;
  next();
});
app.use(function(req, res, next) {
  // Remember original destination before login.
  var path = req.path.split('/')[1];
  if (/auth|login|logout|signup|fonts|favicon/i.test(path)) {
    return next();
  }
  req.session.returnTo = req.path;
  next();
});

//route controllers
app.get('/', homeController.index);



//in separate controller file - home.js

exports.index = function(req, res) {
  res.render('home', {
    title: 'Home'
  });
};


//inside their jade file - this is converted to html tag --- <meta name="csrf-token" content="cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=">
meta(name='csrf-token', content=_csrf)

//so value _csrf is converted to cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=

My confusion is where is the _csrf tag being pulled from? I tried to grep that keywork through all the files and don't actually see it set anywhere (might be missing something?). I'm looking through my inspector and able to see that a session variable is set req.session._csrfSecret = nLzJqL3YIAJVzA== , but this doesn't look to be the same key as used above. Based on the /8OS4 I'm thinking the value is actually concatenated somewhere.

My question is - in the jade template, where does this _csrf value come from? I don't see where jade is grabbing it from in the js code anywhere (I don't see _csrf set in the response anywhere).

Or what's the normal way to create and persist the csrf value using lusca?

Thanks for any help!

Answer 1

I was getting ready to answer this, but it looks like someone beat me to it: https://groups.google.com/forum/#!topic/nodejs/Zwnw4wOAtxw. Just posting this in case anyone else needs help with this.