快速CSRF令牌验证

Question

快速CSRF令牌验证

sal*_*lep 7 csrf node.js csrf-protection express

我遇到了CSRF令牌问题.当我提交表单时,XSRF-TOKEN会生成一个新表单,但我认为我正在生成两个不同的令牌,我有点困惑.还有一个令牌_csrf,所以我在开发者工具(XSRF-TOKEN和_csrf)中看到两个不同的cookie,在_csrf帖子后没有变化.

我想要做的是为每个帖子请求生成一个新令牌,并检查它是否有效.有一点我知道我应该为了安全而做,但我坚持了.

这是漫长的一天,我是Express和NodeJS的新手.

这是我目前的设置.

var express = require('express')
  , passport = require('passport')
  , flash = require('connect-flash')
  , utils = require('./utils')
  , csrf = require('csurf')
  // setup route middlewares
  ,csrfProtection = csrf({ cookie: true })
  , methodOverride = require('method-override')
  , bodyParser = require("body-parser")
  , parseForm = bodyParser.urlencoded({ extended: false })
  , cookieParser = require('cookie-parser')
  , cookieSession = require('cookie-session')
  , LocalStrategy = require('passport-local').Strategy
  , RememberMeStrategy = require('../..').Strategy;


var app = express();

app.set('views', __dirname + '/views');
app.set('view engine', 'ejs');
app.engine('ejs', require('ejs-locals'));
app.use(express.logger());
app.use(express.static(__dirname + '/../../public'));
app.use(cookieParser());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.use(methodOverride());
app.use(express.session({ secret: 'keyboard cat' }));
app.use(flash());
// Initialize Passport!  Also use passport.session() middleware, to support
// persistent login sessions (recommended).
app.use(passport.initialize());
app.use(passport.session());
app.use(passport.authenticate('remember-me'));
app.use(app.router);
app.use(csrf());

app.use(function (req, res, next) {
  res.cookie('XSRF-TOKEN', req.csrfToken());
  res.locals.csrftoken = req.csrfToken();
  next();
});

Run Code Online (Sandbox Code Playgroud)

路线

app.get('/form', csrfProtection, function(req, res) {
  // pass the csrfToken to the view
  res.render('send', { csrfToken: req.csrfToken()});
});

app.post('/process', parseForm, csrfProtection, function(req, res) {
  res.send('data is being processed');
});

Run Code Online (Sandbox Code Playgroud)

send.ejs(/表格GET)

<form action="/process" method="POST">
  <input type="hidden" name="_csrf" value="<%= csrfToken %>">

  Favorite color: <input type="text" name="favoriteColor">
  <button type="submit">Submit</button>
</form>

Run Code Online (Sandbox Code Playgroud)

Answer 1

Fil*_*ype 12

根据您共享的代码量,有些事情看起来不正确:

1.您可能需要交换这些行,以便csrf在路由之前运行.

app.use(app.router);
app.use(csrf());

Run Code Online (Sandbox Code Playgroud)

2.这些线路需要放在路线之前.

app.use(csrf());
app.use(function (req, res, next) {
  res.cookie('XSRF-TOKEN', req.csrfToken());
  res.locals.csrftoken = req.csrfToken();
  next();
});
app.use(app.router);

Run Code Online (Sandbox Code Playgroud)

3.locals.csrftoken在表单中使用

<form action="/process" method="POST">
  <input type="hidden" name="_csrf" value="<%= csrftoken %>">

  Favorite color: <input type="text" name="favoriteColor">
  <button type="submit">Submit</button>
</form>

Run Code Online (Sandbox Code Playgroud)

归档时间：	10 年，4 月前
查看次数：	20417 次
最近记录：	8 年，11 月前