Closed Bogdan-Kalynovskyi closed 6 years ago
app.post('/authenticate', csrf({ cookie: true, ignoreMethods: ['POST'] }), function (req, res) {
The middleware instance you mount on your POST route should just have POST included in your ignoreMethods option.
It still does not validate the token in the subsequent request since the function returns a different value
Here's the example from official docs, except one difference: xsrfToken is sent in response to POST request, not GET:
I'm facing the egg-hen problem: if I enable csrfProtection, I cannot access the endpoint without the token, but if I disable it, req.csrfToken becomes undefined.
I need the /authenticate endpoint to be POST, because I don't want to expose password as url parameter.