我正在使用带有 Express 框架的csrf中间件。我的登录页面是这样的:
app.get('/', getUserOrLogin, function (req, res) {
// do something...
});
getUserOrLogin的位置:
// Return the user otherwise redirect to login page
var getUserOrLogin = function (req, res, next) {
var user = req.session.user;
if (user == null) {
req.session.backTo = req.originalUrl;
res.redirect('/login');
} else {
req.user = user;
next();
}
};
当我尝试访问/时,它会将我正确地重定向到/login,但未设置Cookie中的csrf令牌。
我是否对getUserOrLogin函数做错了或者是Express bug?
答案 0 :(得分:1)
我发现了错误。由于我不想在每个页面上使用csrf控制我使用条件函数:
// Disable CSRF for some requests
var conditionalCSRF = function (req, res, next) {
var whitelist = ['/inbound'];
if (req.method !== 'POST') {
next();
return;
}
if (whitelist.indexOf(req.url) !== -1) {
next();
} else {
(express.csrf())(req, res, next);
}
};
app.use(conditionalCSRF);
但是,在用户需要需要它的页面之前,该函数不会设置csrf令牌。所以我就这样修改了它
var connect = require('connect');
// Disable CSRF for some requests
var conditionalCSRF = function (req, res, next) {
var whitelist = ['/inbound'];
req.session._csrf || (req.session._csrf = connect.utils.uid(24));
if (req.method !== 'POST') {
next();
return;
}
if (whitelist.indexOf(req.url) !== -1) {
next();
} else {
(express.csrf())(req, res, next);
}
};
app.use(conditionalCSRF);