search

dstroot / skeleton

Node Express MongoDB Bootstrap Passport... all rolled up into juicy goodness
skeleton-app.jit.su
MIT License
370 stars 47 forks source link

csrf #31

Closed draschke closed 9 years ago

draschke commented 9 years ago

Hi Dan,

since one week I try to exclude CSRF-proofing for one iframe-side. I used the coding from hackathon-starter and it worked fine for his framework. (He is using "lusca.")

Now I try to use the coding for skeleton, but I don't get it solved. I tried it with csurf and lusca but I'm always getting into new trouble.

Would it be possible for you to include a sample in your framework?

old version on hackathon-starter: worked in my hackathon-starter sample var whitelist = [ '/comment', '/comment/create']; app.use(function(req, res, next) { if (whitelist.indexOf(req.path) !== -1) next(); else csrf(req, res, next); });

new version on hackathon-starter: (I don't use it) var csrfExclude = ['/url1', '/url2']; app.use(function(req, res, next) { // CSRF protection. if (_.contains(csrfExclude, req.path)) return next(); csrf(req, res, next); });

Thanks for your help..

draschke commented 9 years ago

Hi, I found a solution for my problem on this side: https://gist.github.com/vernak2539/9475654 I don't see really any differences, but it works fine.

conditionalCSRF = function( req, res, next ) {
  if( Boolean( csrfFreeRoutes[ req.path ] ) ) {
    next();
  } else {
    csrf( req, res, next );
  }
}
dstroot commented 9 years ago

Thanks for sharing the solution! Since I use Helmet instead of Lusca I really wasn't able to help troubleshoot.