Closed miparnisari closed 7 years ago
CSRF tokens aren't tied to user auth, so there's no need to wait till post-login to set and verify the csrf token. In fact it's probably best to have csrf protection on your registration page so that 3rd party websites can't generate spam accounts while bypassing any ip filters you might implement by tricking the browsers of random visitors to their website to submit the registration request.
Okay, so would it be okay to issue a CSRF token on app launch? Say, on the .run()
block of my Angular app?
Yea, that works. The purpose of CSRF as a protection is that there is a gap in the web that allows third-parties to make blind calls to any other web site. All pages that perform some kind of action should be protected by the CSRF token, including your user sign up form, and potentially even your user login form.
The req.csrfToken()
should only ever be called on a page that displays a form (typically uses the GET
method) and then the middleware will automatically validate any POST
, PUT
, etc. requests to make sure they have the token in them.
Or rather, I don't know how to use it :)
Basically, I want the following: 1) When a user registers or logs into my app I want to set a header with an Anti-CSRF token. 2) When a user goes to any other route I want to verify this token.
So I set the following code into my server:
The problem is the following: the line that goes
app.use(csrf({ cookie: true }));
already tries to validate the token. But I cannot remove it, because then this codereq.csrfToken()
would fail becausecsrfToken()
is undefined.Am I missing something here? How do I attach
csrfToken()
toreq
without actually trying to validate it?