我已经在Node.js Exspress应用程序上安装了csurf软件包。令牌以正确的形式显示(似乎),具有name="_csrf"且值等于使用req.csrfToken()设置的某个哈希值。但是我总是收到一个错误消息,说令牌无效。这是我的一些代码:
var express = require('express')
var app = express()
var nunjucks = require('nunjucks')
var bodyParser = require('body-parser')
var session = require('express-session')
var service = require('./service')
var csrf = require('csurf')
app.set('view engine', 'html')
nunjucks.configure('views', {
autoescape: true,
express: app
})
app.set('trust proxy', 1)
app.use(session({
secret: 'Blue Dragon',
resave: false,
saveUninitialized: true
}))
app.use(csrf({ cookie: false }))
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
res.status(403)
res.send('session has expired or form tampered with')
})
和:
var express = require('express')
var app = module.exports = express()
var nunjucks = require('nunjucks')
var service = require('../../service')
var csrf = require('csurf')
var bodyParser = require('body-parser')
nunjucks.configure('views', {
autoescape: true,
express: app
})
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
app.get('/getnoun/:id', function (req, res) {
req.models.noun.find({ id: req.params.id }, function (err, noun) {
if (err) {
throw err
service.log('Critical', err.message)
}
res.render('noun', { nouns: noun })
})
})
app.get('/addnoun', function (req, res) {
res.render('addnoun', { csrfToken: req.csrfToken() })
})
//app.post('/savenoun', function (req, res) { // gives same problem both ways
app.post('/savenoun', parseForm, csrfProtection, function (req, res) {
var noun = new req.models.noun({
lemma : req.body.lemma,
gloss : req.body.gloss,
sentence : req.body.sentence,
gender : req.body.gender,
roman : req.body.roman,
img : req.body.img,
level : req.body.level
})
noun.save(function (err) {
if (err) {
throw err
service.log('Critical', err.message)
}
})
res.render('home')
})
在html中:(我查看了源代码以确保在隐藏输入中输入了一个值)
<form action="/savenoun" method="post">
<input type="text" name="lemma" placeholder="lemma"><br>
<input type="text" name="gloss" placeholder="gloss"><br>
<input type="text" name="roman" placeholder="roman"><br>
<input type="text" name="sentence" placeholder="sentence"><br>
<input type="text" name="gender" placeholder="gender"><br>
<input type="text" name="img" placeholder="image"><br>
<input type="text" name="level" placeholder="level"><br>
<input type="hidden" name="_csrf" value="{{ csrfToken }}">
<button type="submit" class="btn btn-skyblue">Save</button>
</form>
为什么不能正确验证csrf令牌?
最佳答案
使用csurf npm包中的以下代码。
var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')
// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
// create express app
var app = express()
// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser())
app.get('/', function(req, res) {
res.send('Hello World !!! ')
});
app.get('/form', csrfProtection, function (req, res) {
// pass the csrfToken to the view
res.send({ csrfToken: req.csrfToken() })
})
app.post('/process', parseForm, csrfProtection, function (req, res) {
res.send('data is being processed')
})
// error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
res.send('form tampered with')
})
var port = 3000;
app.listen(port);
console.log('Server is listening at: ', port);
样品申请
var request = require("request");
var options = { method: 'GET',
url: 'http://localhost:3000/form',
headers:
{ 'cache-control': 'no-cache',
Connection: 'keep-alive',
'accept-encoding': 'gzip, deflate',
cookie: '_csrf=uQmzsYUSlBObB62SJIC_z7tt',
Host: 'localhost:3000',
'Postman-Token': 'b25b248a-319c-4429-be73-b8f0d1d08efc,3768fe7b-4d1f-4486-a40d-107609f97258',
'Cache-Control': 'no-cache',
Accept: '*/*',
'User-Agent': 'PostmanRuntime/7.13.0' } };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});
和
var request = require("request");
var options = { method: 'POST',
url: 'http://localhost:3000/process',
headers:
{ 'cache-control': 'no-cache',
Connection: 'keep-alive',
'content-length': '',
'accept-encoding': 'gzip, deflate',
cookie: '_csrf=uQmzsYUSlBObB62SJIC_z7tt',
Host: 'localhost:3000',
'Postman-Token': '2c3d2ee3-8678-4cef-a926-48866083112f,016ab945-a9fb-4fa9-95a7-e62f934414bb',
'Cache-Control': 'no-cache',
Accept: '*/*',
'User-Agent': 'PostmanRuntime/7.13.0',
'CSRF-Token': '0zMVtG9B-OEI4ZD_9meo9EiWpPkOfngwRWkU' } };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});
关于javascript - Node js csurf token 始终无效,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/41763654/