Closed prufrock123 closed 6 years ago
Hi @prufrock123 your description sounds exactly right to me, so not sure what the confusion is. I have never used Postman, so wouldn't be familiar on how to use to it test this, unfortunately. Do you have any tips you can provide to help me out?
Oh, I just finished looking at the SO link you provided and that is actually the Spring framework (which is in Java). This is actually a common mistake that happens so often :) ! This is actually a module for Node.js (JavaScript) on the Express.js framework. The spring framework issue tracker is here: https://github.com/spring-projects/spring-framework
Sorry for any confusion you may have had between these two; it happens every so often, so no biggie 👍
Hello @dougwilson,
Thanks for your reply!
Sorry, I did not create a super-helpful issue here. I actually do intend to use this in a node framework. I actually have it working fine now, but my trouble was because I did not understand the steps I described above.
It's true, it is documented this way and I was able to piece together the above also through your explanations such as here: https://github.com/expressjs/csurf/issues/118#issuecomment-286609749
I was just wondering if perhaps I could submit a PR that clarifies this further for others who may be confused.
Then the second part of my issue was about how this might work in a context where you do not have access to the DOM to retrieve the csrf-token from a form field. Postman is simply a tool to test APIs that allows you to make requests to endpoints. It's like cURL but with a lot of UI helpers and tons of additional functionality.
However, I think I figured out a way around how this might work. It is the subject of this other issue here: https://github.com/expressjs/csurf/issues/118
I commented there as well regarding someone's proposed solution, as I don't think it would be ideal.
Thanks again for your response!
I know some (including me) have had confusion about the difference between the csrf cookie placed in the client and the token submitted in the requests.
I understand it to work the following way:
If this is the case, is there anyway to test a CSRF protected POST route via something like Postman? and if so, does anyone have suggestions for this?
I've looked at some answers such as this here: https://stackoverflow.com/questions/27182701/how-do-i-send-spring-csrf-token-from-postman-rest-client/35925413
But they don't seem to work as described.