Closed dwangus closed 8 years ago
I'm going to do my best to answer your questions but I would like to point out that I'm not an expert in this field either.
The /generate
path, in this example, creates an X-CSRF-TOKEN and sends it back with the response as a cookie. By crumb's defaults, it's name is "crumb" and has a randomly generate value. Only JavaScript served from this domain will have access to that cookie.
The /crumbed
path is there for test, more or less. Once you have that X-CSRF-TOKEN you would add it to the request header. For example: 'X-CSRF-Token: 'rAnD0mVALU3'
. If you don't, the server will respond with a 403.
Normally, you would generate this token when the user first authenticates. Your application would then need to send this header value for all requests.
I'm not sure... how exactly the PUT method in the example checks for a "X-CSRF-Token" in the request header
That's the purpose of this plugin. It does it for you!
One thing I would suggest is to download these examples and use a tool like Postman to play around with the API. If you run the restful.js
server and make a GET request to /generate
you will receive back a token in both the body and as a cookie. The cookie will always be generated but showing it in the body as well is just part of this example (it comes from https://github.com/hapijs/crumb/blob/master/example/restful.js#L27).
If you try doing a PUT request to /crumbed
you will get a 403.
If you take that value from the /generate
and add it as a header in your PUT request you will receive a 200 response and some data, 'Crumb route', in the response body.
well said @adam-beck, that answers the question nicely 👍 @dwangus feel free to re-open this issue if you need any other clarity on the subject
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
What exactly are the paths /generate and /crumbed? ...I'm not exactly sure how to (or whether or not to) change the paths in the example, or if we always need to go to '/generate' to get a crumb-token, or if we should be generating a new token at every new path we arrive at, etc. I'm also not sure what exactly '/crumbed' is supposed to be, or how exactly the PUT method in the example checks for a "X-CSRF-Token" in the request header... I'm sorry, I'm new to Nodejs and have been trying to dissect your code and integrating it with https://github.com/jedireza/frame.