unable to implement crumb for csrf protection in application with api's developed using hapi and front end developed using angular

[milya]

Hi I am getting 403 forbidden error when I access hapi endpoint protected with crumb token. I have used npm's crumb packeage(https://www.npmjs.com/package/crumb) for CSRF in my api. My Api's are developed using hapi and front end is angular 5.

I get the crumb token in the 'set-cookie' response header of my Hapi api endpoint.Crumb token is different for each end point.

Please help me how should i validate the crumb token for every request sent to my hapi endpoint through my angular application.

I have tried below approaches 1) I have added an interceptor in my angular app and tried to extract the token using getToken method of 'HttpXsrfTokenExtractor' and set it in the 'X-XSRF-Token' header. It is throwing exception "getToken" is not a function

2) I have added an endpoint "getCrumb" , this endpoint is returning the crumb token. I am passing this crumb token to login endpoint in the 'X-XSRF-Token' header. But this is giving me 403 forbidden error for login api.

Please suggest asap

[D34THWINGS]

@milya I've achieved working CSRF with React application by making the Hapi application serve my React application and injecting into the index.html the raw CSRF token (in a script tag to make it available on window or something like that). Then when I make an XHR call within my React app, I would send the raw token inside the X-CSRF-Token header. crumb will then compare the token sent inside the XHR call and the encoded one in the crumb cookie. Make sure to have restful to true to be able to use the header.

[spanditcaa]

closing, answered.

[lock[bot]]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.