invalid csrf token


  • Anime Lovers

    Use-case

    1. User (browser) submit todo item to server, using route POST '/todo'.
    2. Server will check if user is logon. If not logon, redirect to logon page -
      middleware.ensureLoggedIn()

    However, the server throws "invalid csrf token" message. I believe this is caused by redirecting using POST '/login' instead of GET '/login', which is incorrect.

    Is there anyway to handle such a common usecase?
    Please advise me. Thanks!


  • Community Rep

    You can send the csrf token with your post request as "_csrf".

    The token is stored at config.csrf_token

    Something like this should work

    <input id="csrf" type="hidden" name="_csrf"> // Inside your form.
    ...
    <script>$('#csrf').val(config.csrf_token);</script>
    

    You can also get the token from /api/config if you're using this for an app or cURLing.


  • Anime Lovers

    Thanks @yariplus for your reply.

    Let me elaborate my usecase with more details:

    1. New user (not logon) come to xyz.com's TODO page.
    2. New user trying out feature (eg. adding a TODO item) by clicking "Add" button.
    3. "Add" button will send a post to server.
    4. Server check user is not logon, and so will redirect new user to login page.

    As you know, the exception is thrown on step 4, due to "invalid csrf token". So if I understand you correctly, I will need to embed a csrf token on TODO page?


  • Community Rep

    Actually, I'm not quite sure what is happening. You should always include a csrf token in a form, but that doesn't seem related to your problem.

    It appears to be like you said and the redirect is POSTing to /login.


  • Admin

    @Bruce-Lee Are you adding the middleware.applyCSRF middleware to your route handler?


  • Anime Lovers

    Thanks @yariplus and @julian for the help, I made a careless mistake.
    The button was requesting using wrong method, ie. PUT instead of POST.


Log in to reply
 

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.