newbie. I'm using ExpressJS/Node. Here's my config stuff: <pre class="prettyprint"><code>var express = require('express'), app = express.createServer(), jade=require('jade'); // Configuration app.configure(function(){ app.set('views', __dirname + '/views'); app.use(express.logger()); app.use(express.cookieParser()); app.use(express.session({ secret: "secretive secret" })); app.set('view engine', 'jade'); app.use(express.bodyParser()); app.use(express.methodOverride()); app.use(require('stylus').middleware({ src: __dirname + '/public' })); app.use(app.router); app.use(express.static(__dirname + '/public')); app.use(express.csrf()); </code></pre> I found csrf.js in Express directories, and see that it should be generated and assigned to req.body._csrf, but I'm not sure how to access it. Here's the csrf.js code <pre class="prettyprint"><code>module.exports = function csrf(options) { var options = options || {} , value = options.value || defaultValue; return function(req, res, next){ // generate CSRF token var token = req.session._csrf || (req.session._csrf = utils.uid(24)); // ignore GET (for now) if ('GET' == req.method) return next(); // determine value var val = value(req); // check if (val != token) return utils.forbidden(res); next(); } }; </code></pre> Help? Thanks!

Dynamic helpers has been removed from Express since 3.x. The new usage would be <code>app.use(express.csrf());</code>, which comes from Connect.

Add the token to dynamic helpers. <pre class="prettyprint"><code>app.dynamicHelpers({ token: function(req, res) { return req.session._csrf; } }); </code></pre> Reference it in your jade template. <pre class="prettyprint"><code>input(type='hidden', value=token) </code></pre> Source: http://senchalabs.github.com/connect/middleware-csrf.html

How do I generate CSRF tokens in Express?

Tags:

node.js

express

csrf

newbie. I'm using ExpressJS/Node. Here's my config stuff:

var express = require('express'),
app = express.createServer(),
jade=require('jade');
// Configuration
app.configure(function(){
app.set('views', __dirname + '/views');
app.use(express.logger());
app.use(express.cookieParser());
app.use(express.session({ secret: "secretive secret" }));
app.set('view engine', 'jade');
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(require('stylus').middleware({ src: __dirname + '/public' }));
app.use(app.router);
app.use(express.static(__dirname + '/public'));
app.use(express.csrf());

I found csrf.js in Express directories, and see that it should be generated and assigned to req.body._csrf, but I'm not sure how to access it.

Here's the csrf.js code

module.exports = function csrf(options) {
var options = options || {}
, value = options.value || defaultValue;

return function(req, res, next){
// generate CSRF token
var token = req.session._csrf || (req.session._csrf = utils.uid(24));

// ignore GET (for now)
if ('GET' == req.method) return next();

// determine value
var val = value(req);

// check
if (val != token) return utils.forbidden(res);

next();
}
};

Help? Thanks!

286

asked Jan 03 '12 01:01

bear

2 Answers

Dynamic helpers has been removed from Express since 3.x.

The new usage would be app.use(express.csrf());, which comes from Connect.

answered Sep 22 '22 05:09

chenglou

Add the token to dynamic helpers.

app.dynamicHelpers({
  token: function(req, res) {
    return req.session._csrf;
  }
});

Reference it in your jade template.

input(type='hidden', value=token)

Source: http://senchalabs.github.com/connect/middleware-csrf.html

answered Sep 23 '22 05:09

fent

Related questions
                            
                                Does passportjs LocalStrategy allow more parameters than the default username and password?
                            
                                Nodemailer send base64 data URI as attachment. How?
                            
                                Sails.js 0.10.x: Log to file
                            
                                NodeJS 4 & 5 npm install fail for bcrypt and db-migrate
                            
                                Node js is still listening to the port after ctrl+z
                            
                                Could Not Connect to Local Server in Xcode
                            
                                What causes node.js to wait until the request finishes?
                            
                                Electron and Cordova for Windows build [closed]
                            
                                How Do I create a NodeJS Module?
                            
                                host node js on windows server (iis)
                            
                                how to retrieve image from s3 with nodejs
                            
                                Axios on Nodejs wont retain session on requested server while PostMan does
                            
                                Run create-react-app in a certain browser
                            
                                How to pass a parameter to middleware function in Express JS?
                            
                                How to use begins_with in AWS DynamoDb js sdk?
                            
                                Angular 7/8 - How to get url parameters in app component
                            
                                ts-node-dev not restarting when changes made
                            
                                node.js real-time game
                            
                                Usages of Node.js - What obstacles is it aiming to provide a ramp for?
                            
                                Example of Node.js Express registering Underscore.js as view engine?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With