Can docs clarify how cookie mode works?

[prufrock123]

I know some (including me) have had confusion about the difference between the csrf cookie placed in the client and the token submitted in the requests.

I understand it to work the following way:

1.  Uses a random value as a secret to create a “token”
2.  Stores this random value secret as a cookie (this is the csrf cookie we see in the client's browser)
3.  We take the “token” created from this secret and store it as a hidden value in a form.
4.  When the form is submitted, the CSURF middleware takes the “token” submitted with the form via a hidden field and compares it with the secret stored in the csrf cookie.
5.  If it doesn’t match (after de-hashing?), it says the CSRF token is invalid and rejects the request.

If this is the case, is there anyway to test a CSRF protected POST route via something like Postman? and if so, does anyone have suggestions for this?

I've looked at some answers such as this here: https://stackoverflow.com/questions/27182701/how-do-i-send-spring-csrf-token-from-postman-rest-client/35925413

But they don't seem to work as described.

[dougwilson]

Hi @prufrock123 your description sounds exactly right to me, so not sure what the confusion is. I have never used Postman, so wouldn't be familiar on how to use to it test this, unfortunately. Do you have any tips you can provide to help me out?

[dougwilson]

Oh, I just finished looking at the SO link you provided and that is actually the Spring framework (which is in Java). This is actually a common mistake that happens so often :) ! This is actually a module for Node.js (JavaScript) on the Express.js framework. The spring framework issue tracker is here: https://github.com/spring-projects/spring-framework

Sorry for any confusion you may have had between these two; it happens every so often, so no biggie 👍

[prufrock123]

Hello @dougwilson,

Thanks for your reply!

Sorry, I did not create a super-helpful issue here. I actually do intend to use this in a node framework. I actually have it working fine now, but my trouble was because I did not understand the steps I described above.

It's true, it is documented this way and I was able to piece together the above also through your explanations such as here: https://github.com/expressjs/csurf/issues/118#issuecomment-286609749

I was just wondering if perhaps I could submit a PR that clarifies this further for others who may be confused.

Then the second part of my issue was about how this might work in a context where you do not have access to the DOM to retrieve the csrf-token from a form field. Postman is simply a tool to test APIs that allows you to make requests to endpoints. It's like cURL but with a lot of UI helpers and tons of additional functionality.

However, I think I figured out a way around how this might work. It is the subject of this other issue here: https://github.com/expressjs/csurf/issues/118

I commented there as well regarding someone's proposed solution, as I don't think it would be ideal.

Thanks again for your response!