节点js csurf令牌总是无效答案

【问题标题】：Node js csurf token always invalid节点js csurf令牌总是无效
【发布时间】：2017-06-05 10:37:23
【问题描述】：

我已经在 Node.js Express 应用程序上安装了 csurf 包。令牌以正确的形式显示（看起来），name="_csrf" 和值等于某个散列值，它是用req.csrfToken() 设置的。但我总是收到一个错误，说令牌无效。这是我的一些代码：

var express = require('express')
var app = express()
var nunjucks = require('nunjucks')
var bodyParser = require('body-parser')
var session = require('express-session')
var service = require('./service')
var csrf = require('csurf')

app.set('view engine', 'html')
nunjucks.configure('views', {
    autoescape: true,
    express: app
})

app.set('trust proxy', 1)
app.use(session({
  secret: 'Blue Dragon',
  resave: false,
  saveUninitialized: true
}))

app.use(csrf({ cookie: false }))
app.use(function (err, req, res, next) {
    if (err.code !== 'EBADCSRFTOKEN') return next(err)
    res.status(403)
    res.send('session has expired or form tampered with')
})

和：

var express = require('express')
var app = module.exports = express()
var nunjucks = require('nunjucks')
var service = require('../../service')
var csrf = require('csurf')
var bodyParser = require('body-parser')

nunjucks.configure('views', {
    autoescape: true,
    express: app
})

var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })

app.get('/getnoun/:id', function (req, res) {
    req.models.noun.find({ id: req.params.id }, function (err, noun) {
        if (err) {
            throw err
            service.log('Critical', err.message)
        }
        res.render('noun', { nouns: noun })
    })
})

app.get('/addnoun', function (req, res) {
    res.render('addnoun', { csrfToken: req.csrfToken() })
})

//app.post('/savenoun', function (req, res) { // gives same problem both ways
app.post('/savenoun', parseForm, csrfProtection, function (req, res) {
    var noun = new req.models.noun({
        lemma : req.body.lemma,
        gloss : req.body.gloss,
        sentence : req.body.sentence,
        gender : req.body.gender,
        roman : req.body.roman,
        img : req.body.img,
        level : req.body.level
    })

    noun.save(function (err) {
        if (err)  {
            throw err
            service.log('Critical', err.message)
        }
    })

    res.render('home')
})

在 html 中：（我查看了源代码以确保将值放入隐藏的输入）

<form action="/savenoun" method="post">
    <input type="text" name="lemma" placeholder="lemma"><br>
    <input type="text" name="gloss" placeholder="gloss"><br>
    <input type="text" name="roman" placeholder="roman"><br>
    <input type="text" name="sentence" placeholder="sentence"><br>
    <input type="text" name="gender" placeholder="gender"><br>
    <input type="text" name="img" placeholder="image"><br>
    <input type="text" name="level" placeholder="level"><br>
    <input type="hidden" name="_csrf" value="{{ csrfToken }}">
    <button type="submit" class="btn btn-skyblue">Save</button>
</form>

为什么没有正确验证 csrf 令牌？

【问题讨论】：

不知道这里能不能发视频链接，但是第5分钟开始有使用csrf保护watch me的完美解释
你没有忘记在表单中添加这个<input type="hidden" name="_csrf" value="{{ csrfToken }}">吗？

标签： javascript node.js express csrf

【解决方案1】：

使用 csurf npm 包中的以下代码。

var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var bodyParser = require('body-parser')
var express = require('express')

// setup route middlewares
var csrfProtection = csrf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })

// create express app
var app = express()

// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser())

app.get('/', function(req, res) {
 res.send('Hello World !!! ')
});

app.get('/form', csrfProtection, function (req, res) {
  // pass the csrfToken to the view
  res.send({ csrfToken: req.csrfToken() })
})

app.post('/process', parseForm, csrfProtection, function (req, res) {
  res.send('data is being processed')
})

// error handler
app.use(function (err, req, res, next) {
  if (err.code !== 'EBADCSRFTOKEN') return next(err)

  // handle CSRF token errors here
  res.status(403)
  res.send('form tampered with')
})

var port = 3000;

app.listen(port);
console.log('Server is listening at: ', port);

样品申请

var request = require("request");
var options = { method: 'GET',
  url: 'http://localhost:3000/form',
  headers: 
   { 'cache-control': 'no-cache',
     Connection: 'keep-alive',
     'accept-encoding': 'gzip, deflate',
     cookie: '_csrf=uQmzsYUSlBObB62SJIC_z7tt',
     Host: 'localhost:3000',
     'Postman-Token': 'b25b248a-319c-4429-be73-b8f0d1d08efc,3768fe7b-4d1f-4486-a40d-107609f97258',
     'Cache-Control': 'no-cache',
     Accept: '*/*',
     'User-Agent': 'PostmanRuntime/7.13.0' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

和

var request = require("request");
var options = { method: 'POST',
  url: 'http://localhost:3000/process',
  headers: 
   { 'cache-control': 'no-cache',
     Connection: 'keep-alive',
     'content-length': '',
     'accept-encoding': 'gzip, deflate',
     cookie: '_csrf=uQmzsYUSlBObB62SJIC_z7tt',
     Host: 'localhost:3000',
     'Postman-Token': '2c3d2ee3-8678-4cef-a926-48866083112f,016ab945-a9fb-4fa9-95a7-e62f934414bb',
     'Cache-Control': 'no-cache',
     Accept: '*/*',
     'User-Agent': 'PostmanRuntime/7.13.0',
     'CSRF-Token': '0zMVtG9B-OEI4ZD_9meo9EiWpPkOfngwRWkU' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

【讨论】：