NodeJS CSurf:ForbiddenError:无效的CSRF令牌

时间:2020-08-29 14:21:54

标签: node.js angular csrf

使用Angular和Nodejs作为后端。即使在请求cookie中看到相同的_csrf令牌,csurf中间件也会引发“禁止”错误。我的网址是:https://192.168.0.100.xip.io:64726/ 

Error log:
method is GET url is /
{"G_ENABLED_IDPS":"google","G_AUTHUSER_H":"0","_csrf":"XcUDRcxDPpje0nlNGdF4bZpn"}
method is POST url is /api/login/verify
{"G_ENABLED_IDPS":"google","G_AUTHUSER_H":"0","_csrf":"XcUDRcxDPpje0nlNGdF4bZpn"}
ForbiddenError: invalid csrf token
   at csrf (/Users/admin/nodejs/google-signin-server/node_modules/csurf/index.js:112:19)
   at Layer.handle [as handle_request] (/Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/layer.js:95:5)
   at next (/Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/route.js:137:13)
   at urlencodedParser (/Users/admin/nodejs/google-signin-server/node_modules/body-parser/lib/types/urlencoded.js:100:7)
   at Layer.handle [as handle_request] (/Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/layer.js:95:5)
   at next (/Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/route.js:137:13)
   at Route.dispatch (/Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/route.js:112:3)
   at Layer.handle [as handle_request] (/Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/layer.js:95:5)
   at /Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/index.js:281:22
   at Function.process_params (/Users/admin/nodejs/google-signin-server/node_modules/express/lib/router/index.js:335:12)

Nodejs:

var cookieParser = require('cookie-parser')
var csrf = require('csurf')
const bodyParser = require('body-parser')

const helmet = require("helmet");
// var session = require('express-session')
const uuid    = require('uuid/v4');
const app = express()
const parseForm = bodyParser.urlencoded({ extended: false });
const csrfProtection = csrf({cookie:true,secure:true,httpOnly:false})
app.use(cookieParser())


app.use((req, res, next) => {
  const { method, url } = req;

  console.log(" method is "+ method + " url is " + url)
   logger.info('cookie', req.cookies)
next() 

})
app.get('/', csrfProtection, function(req, res) {
  console.log('app // get called')
  // Pass the Csrf Token
  tokenVal =  req.csrfToken();
  res.json({csrfToken: tokenVal });
  res.sendFile('index.html');
  
});

app.post('/api/login/verify',parseForm, csrfProtection,(req, res) => {
  verify(req.body.idToken)
    .then((result) => {
      let id = result['sub']
      logger.info('id=', id)
      res.send({
           'payload': result
         })
         
             }).catch(logger.error)
});

0 个答案:

没有答案
相关问题
最新问题