我在Node.js Exspress应用程序上安装了csurf包。令牌正确地显示(似乎),name="_csrf",值等于某个哈希值,用req.csrfToken()设置。但我总是得到一个错误,说令牌无效。以下是我的一些代码:
var express = require('express')
var app = express()
var nunjucks = require('nunjucks')
var bodyParser = require('body-parser')
var session = require('express-session')
var service = require('./service')
var csrf = require('csurf')
app.set('view engine', 'html')
nunjucks.configure('views', {
autoescape: true,
express: app
})
app.set('trust proxy', 1)
app.use(session({
secret: 'Blue Dragon',
resave: false,
saveUninitialized: true
}))
app.use(csrf({ cookie: false }))
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
res.status(403)
res.send('session has expired or form tampered with')
})
和
var express = require('express')
var app = module.exports = express()
var nunjucks = require('nunjucks')
var service = require('../../service')
var csrf = require('csurf')
var bodyParser = require('body-parser')
nunjucks.configure('views', {
autoescape: true,
express: app
})
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
app.get('/getnoun/:id', function (req, res) {
req.models.noun.find({ id: req.params.id }, function (err, noun) {
if (err) {
throw err
service.log('Critical', err.message)
}
res.render('noun', { nouns: noun })
})
})
app.get('/addnoun', function (req, res) {
res.render('addnoun', { csrfToken: req.csrfToken() })
})
//app.post('/savenoun', function (req, res) { // gives same problem both ways
app.post('/savenoun', parseForm, csrfProtection, function (req, res) {
var noun = new req.models.noun({
lemma : req.body.lemma,
gloss : req.body.gloss,
sentence : req.body.sentence,
gender : req.body.gender,
roman : req.body.roman,
img : req.body.img,
level : req.body.level
})
noun.save(function (err) {
if (err) {
throw err
service.log('Critical', err.message)
}
})
res.render('home')
})
在html中:(我查看了源代码以确保将值放入隐藏的输入中)
<form action="/savenoun" method="post">
<input type="text" name="lemma" placeholder="lemma"><br>
<input type="text" name="gloss" placeholder="gloss"><br>
<input type="text" name="roman" placeholder="roman"><br>
<input type="text" name="sentence" placeholder="sentence"><br>
<input type="text" name="gender" placeholder="gender"><br>
<input type="text" name="img" placeholder="image"><br>
<input type="text" name="level" placeholder="level"><br>
<input type="hidden" name="_csrf" value="{{ csrfToken }}">
<button type="submit" class="btn btn-skyblue">Save</button>
</form>
为什么csrf令牌没有得到验证?
答案 0 :(得分:0)
使用csurf npm软件包中的以下代码。
Write-Host "##vso[task.addattachment type=Distributedtask.Core.Summary;name=testsummaryname;]c:\testsummary.md"样品申请
var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')
// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
// create express app
var app = express()
// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser())
app.get('/', function(req, res) {
res.send('Hello World !!! ')
});
app.get('/form', csrfProtection, function (req, res) {
// pass the csrfToken to the view
res.send({ csrfToken: req.csrfToken() })
})
app.post('/process', parseForm, csrfProtection, function (req, res) {
res.send('data is being processed')
})
// error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
res.send('form tampered with')
})
var port = 3000;
app.listen(port);
console.log('Server is listening at: ', port);
和
var request = require("request");
var options = { method: 'GET',
url: 'http://localhost:3000/form',
headers:
{ 'cache-control': 'no-cache',
Connection: 'keep-alive',
'accept-encoding': 'gzip, deflate',
cookie: '_csrf=uQmzsYUSlBObB62SJIC_z7tt',
Host: 'localhost:3000',
'Postman-Token': 'b25b248a-319c-4429-be73-b8f0d1d08efc,3768fe7b-4d1f-4486-a40d-107609f97258',
'Cache-Control': 'no-cache',
Accept: '*/*',
'User-Agent': 'PostmanRuntime/7.13.0' } };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});