adam-beck
commented
8 years ago I'm going to do my best to answer your questions but I would like to point out that I'm not an expert in this field either.
The /generate path, in this example, creates an X-CSRF-TOKEN and sends it back with the response as a cookie. By crumb's defaults, it's name is "crumb" and has a randomly generate value. Only JavaScript served from this domain will have access to that cookie.
The /crumbed path is there for test, more or less. Once you have that X-CSRF-TOKEN you would add it to the request header. For example: 'X-CSRF-Token: 'rAnD0mVALU3'. If you don't, the server will respond with a 403.
Normally, you would generate this token when the user first authenticates. Your application would then need to send this header value for all requests.
I'm not sure... how exactly the PUT method in the example checks for a "X-CSRF-Token" in the request header
That's the purpose of this plugin. It does it for you!
One thing I would suggest is to download these examples and use a tool like Postman to play around with the API. If you run the restful.js server and make a GET request to /generate you will receive back a token in both the body and as a cookie. The cookie will always be generated but showing it in the body as well is just part of this example (it comes from https://github.com/hapijs/crumb/blob/master/example/restful.js#L27).
If you try doing a PUT request to /crumbed you will get a 403.
If you take that value from the /generate and add it as a header in your PUT request you will receive a 200 response and some data, 'Crumb route', in the response body.
stongo
lock[bot]
What exactly are the paths /generate and /crumbed? ...I'm not exactly sure how to (or whether or not to) change the paths in the example, or if we always need to go to '/generate' to get a crumb-token, or if we should be generating a new token at every new path we arrive at, etc. I'm also not sure what exactly '/crumbed' is supposed to be, or how exactly the PUT method in the example checks for a "X-CSRF-Token" in the request header... I'm sorry, I'm new to Nodejs and have been trying to dissect your code and integrating it with https://github.com/jedireza/frame.