I've tried to get csurf to work but seem to have stumbled upon something. The code so far looks like this: index.ejs Where you insert password and username in the form. app.js Where I've put csrf after session and cookie parser. index.js What I get after submiting the form, no matter if I insert the correct username and password or

ForbiddenError: invalid csrf token, express js

I’ve tried to get csurf to work but seem to have stumbled upon something. The code so far looks like this:

index.ejs

<form method="post" action="/">
            <input type="hidden" name="_csrf" value="{{csrfToken}}">
            .
            .
</form>

JavaScript
​x
 
<form method="post" action="/">
            <input type="hidden" name="_csrf" value="{{csrfToken}}">
            .
            .
</form>
​

Where you insert password and username in the form.

app.js

   var express = require('express');
var helmet = require('helmet');
var csrf = require('csurf');
var path = require('path');
var favicon = require('serve-favicon');
var flash = require('connect-flash');
var logger = require('morgan');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var session = require('express-session');


var routes = require('./routes/index');
var users = require('./routes/users');
var profile = require('./routes/profile');

var app = express();


// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');

// uncomment after placing your favicon in /public
//app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')));

app.use(logger('dev'));

//Security shyts

app.use(helmet());
app.use(helmet.xssFilter({ setOnOldIE: true }));
app.use(helmet.frameguard('deny'));
app.use(helmet.hsts({maxAge: 7776000000, includeSubdomains: true}));
app.use(helmet.hidePoweredBy());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.noCache());

// rest of USE
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser());
app.use(session({secret: 'anystringoftext', saveUninitialized: true, resave: true, httpOnly: true, secure: true}));
app.use(csrf()); // Security, has to be after cookie and session.
app.use(flash());
app.use(express.static(path.join(__dirname, 'public')));
app.use('/', routes);
app.use('/users', users);
app.use('/profile', profile);


// catch 404 and forward to error handler

app.use(function (req, res, next) {
  res.cookie('XSRF-TOKEN', req.csrfToken());
  res.locals.csrftoken = req.csrfToken();
  next();
})

//app.use(function(req, res, next) {
//  var err = new Error('Not Found');
//  err.status = 404;
//  next(err);
//});

// error handlers

// development error handler
// will print stacktrace
if (app.get('env') === 'development') {
  app.use(function(err, req, res, next) {
    res.status(err.status || 500);
    res.render('error', {
      message: err.message,
      error: err
    });
  });
}

// production error handler
// no stacktraces leaked to user
app.use(function(err, req, res, next) {
  res.status(err.status || 500);
  res.render('error', {
    message: err.message,
    error: {}
  });
});


module.exports = app;

JavaScript
 
   var express = require('express');
var helmet = require('helmet');
var csrf = require('csurf');
var path = require('path');
var favicon = require('serve-favicon');
var flash = require('connect-flash');
var logger = require('morgan');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var session = require('express-session');
​
​
var routes = require('./routes/index');
var users = require('./routes/users');
var profile = require('./routes/profile');
​
var app = express();
​
​
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
​
// uncomment after placing your favicon in /public
//app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')));
​
app.use(logger('dev'));
​
//Security shyts
​
app.use(helmet());
app.use(helmet.xssFilter({ setOnOldIE: true }));
app.use(helmet.frameguard('deny'));
app.use(helmet.hsts({maxAge: 7776000000, includeSubdomains: true}));
app.use(helmet.hidePoweredBy());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.noCache());
​
// rest of USE
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser());
app.use(session({secret: 'anystringoftext', saveUninitialized: true, resave: true, httpOnly: true, secure: true}));
app.use(csrf()); // Security, has to be after cookie and session.
app.use(flash());
app.use(express.static(path.join(__dirname, 'public')));
app.use('/', routes);
app.use('/users', users);
app.use('/profile', profile);
​
​
// catch 404 and forward to error handler
​
app.use(function (req, res, next) {
  res.cookie('XSRF-TOKEN', req.csrfToken());
  res.locals.csrftoken = req.csrfToken();
  next();
})
​
//app.use(function(req, res, next) {
//  var err = new Error('Not Found');
//  err.status = 404;
//  next(err);
//});
​
// error handlers
​
// development error handler
// will print stacktrace
if (app.get('env') === 'development') {
  app.use(function(err, req, res, next) {
    res.status(err.status || 500);
    res.render('error', {
      message: err.message,
      error: err
    });
  });
}
​
// production error handler
// no stacktraces leaked to user
app.use(function(err, req, res, next) {
  res.status(err.status || 500);
  res.render('error', {
    message: err.message,
    error: {}
  });
});
​
​
module.exports = app; 
​

Where I’ve put csrf after session and cookie parser.

index.js

/* GET home page. */
router.get('/', function(req, res, next) {
  res.render('index', { title: 'some title',message: '' });
});

router.post('/',function(req,res){
// Where I have a bunch of mysql queries to check passwords and usernames where as if they succeed they get:
res.redirect('profile');
// Else:
res.redirect('/');
 });

JavaScript
 
/* GET home page. */
router.get('/', function(req, res, next) {
  res.render('index', { title: 'some title',message: '' });
});
​
router.post('/',function(req,res){
// Where I have a bunch of mysql queries to check passwords and usernames where as if they succeed they get:
res.redirect('profile');
// Else:
res.redirect('/');
 });
​

What I get after submiting the form, no matter if I insert the correct username and password or not I still get the same error:

invalid csrf token

403

ForbiddenError: invalid csrf token

JavaScript
 
invalid csrf token
​
403
​
ForbiddenError: invalid csrf token
​

Also I want add that I’ve been working with node for about 2 weeks, so there is still alot I need to learn probably.

Answer

{{csrfToken}} isn’t an EJS construction, so it’s not expanded at all and is probably sent literally to your server.

This should work better:

<input type="hidden" name="_csrf" value="<%= csrfToken %>">

JavaScript
 
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
​

The middleware is setting csrftoken though, with lowercase ‘t’, where the template expects an uppercase ‘T’:

res.locals.csrftoken = req.csrfToken(); // change to `res.locals.csrfToken`

JavaScript
 
res.locals.csrftoken = req.csrfToken(); // change to `res.locals.csrfToken`
​

You also generate two different tokens, which is probably not what you want. Store the token in a variable and reuse that:

app.use(function (req, res, next) {
  var token = req.csrfToken();
  res.cookie('XSRF-TOKEN', token);
  res.locals.csrfToken = token;
  next();
});

JavaScript
 
app.use(function (req, res, next) {
  var token = req.csrfToken();
  res.cookie('XSRF-TOKEN', token);
  res.locals.csrfToken = token;
  next();
});
​

And lastly, you probably have to move your middleware to before the route declarations, otherwise it won’t be called:

app.use(function (req, res, next) {
  var token = req.csrfToken();
  res.cookie('XSRF-TOKEN', token);
  res.locals.csrfToken = token;
  next();
});
app.use('/', routes);
app.use('/users', users);
app.use('/profile', profile);

JavaScript
 
app.use(function (req, res, next) {
  var token = req.csrfToken();
  res.cookie('XSRF-TOKEN', token);
  res.locals.csrfToken = token;
  next();
});
app.use('/', routes);
app.use('/users', users);
app.use('/profile', profile);
​

Advertisement

Answer