Closed annon12 closed 8 years ago
dougwilson
commented
8 years ago Hi! I'm not sure, can you provide some more information? I don't seem to be able to reproduce the issue. Perhaps share a repo or a gist of the example code you are using a long with the templates so we can take a look?
annon12
commented
8 years ago Hello, I have just posted to stackoverflow with example code. http://stackoverflow.com/questions/35326761/invalid-token-using-expressjs-csurf-middleware-example
I just installed the latest version of Nodejs and I just used the cmd 'npm install XXX' for each required module. Maybe I need specific versions?
dougwilson
commented
8 years ago AH, I see what you are saying. The reason it's not working is because the https://github.com/expressjs/csurf#ignoring-routes example only accepts the CSRF token being in the query string or HTTP header, not in the POST body. This is because the form is not actually getting parsed until after the csrf token validation occurs. I'll move up the parseForm in the example.
When using the first example in the Readme, (using Ejs template language), the token validation works fine. When I try using the 'Ignoring Routes' example, on the 'GET /form' to 'POST /process' execution(just as I did in the first example), I get 'invalid token' on the 'POST'. The token is being passed to the form on the GET. Any ideas?