我仍然收到有关CSRF令牌的错误,但我定义正确

时间:2019-06-06 13:04:33

标签: node.js

我收到有关CSRF令牌的错误,但我不知道为什么。 我正在使用NodeJS。

我尝试删除所有带有CSRF令牌的输入,但随后没有任何形式可用。

这是我的app.js


const path = require('path');

const express = require('express');
const bodyParser = require('body-parser');
const mongoose = require('mongoose');
const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);
const csrf = require('csurf');
const errorController = require('./controllers/error');
const User = require('./models/user');
const multer = require('multer');
const flash = require('connect-flash');

const feedController = require('./controllers/feed');

const isAuth = require('./middleware/is-auth');
const MONGODB_URI =
  'mongodb+srv://calinonaca:mamaligaP123@cluster0-uwtti.mongodb.net/mirrrortest';

const app = express();
const store = new MongoDBStore({
  uri: MONGODB_URI,
  collection: 'sessions'
});
const csrfProtection = csrf();
const fileStorage = multer.diskStorage({
  destination:(req,file,cb) => {
    cb(null,'images');
  },
  filename: (req,file,cb) => {
    cb(null,new Date().toISOString() + '-' + file.originalname);
  }
});

app.set('view engine', 'ejs');
app.set('views', 'views');

const fileFilter = (req, file, cb) => {
  if(file.mimetype ==='image/png' || file.mimetype === 'image/jpg' || file.mimetype === 'image/jpeg')
  {
    cb(null, true);
  } else {
    cb(null, false);
  }


}
const feedRoutes = require('./routes/feed');
const authRoutes = require('./routes/auth');

app.use(bodyParser.urlencoded({ extended: false }));
app.use(multer({storage:fileStorage, fileFilter: fileFilter}).single('image'));
app.use(express.static(path.join(__dirname, 'public')));
app.use('/images', express.static(path.join(__dirname,'images')));
app.use(
  session({
    secret: 'my secret',
    resave: false,
    saveUninitialized: false,
    store: store
  })
);


app.use(flash());
app.use((req, res, next) => {
  if (!req.session.user) {
    return next();
  }
  User.findById(req.session.user._id)
    .then(user => {
      req.user = user;
      next();
    })
    .catch(err => console.log(err));
});
app.use((req,res,next) => {
res.locals.isAuthenticated = req.session.isLoggedIn;

next();
});
app.post('/payment',isAuth,feedController.postPayment);
app.use(csrfProtection);
app.use((req,res,next)=> {
  res.locals.csrfToken = req.csrfToken();
  next();
});
app.use(feedRoutes);
app.use(authRoutes);

app.use(errorController.get404);

mongoose
  .connect(MONGODB_URI)
  .then(result => {
  app.listen(3000);
  })
  .catch(err => {
    console.log(err);
  });

在这里我得到了错误,但是如果我删除了输入,它将跳转到下一个表格,我会得到CSRF的输入

<form action="/logout" method="POST">
                        <input type="hidden" name="_csrf" value="<%= csrfToken %>">
                        <button>Sign out</button></form>

我不知道该怎么做,我将CSRF保护放在Stripe之后,因为Stripe使用的是他自己的令牌,然后是我的路线。付款完成后,我收到了此错误消息。付款有效,但是当我再次渲染用户配置文件时,会把这个扔给我。 谢谢!

0 个答案:

没有答案