search

hapijs / crumb

CSRF crumb generation and validation for hapi
Other
171 stars 50 forks source link

Generate is running a second time and 500-ing hapi #89

Closed excenter closed 8 years ago

excenter commented 8 years ago

possibly related to #54 For a restful hapi pipeline, with the conf below, after I generate a crumb and get it back as a cookie. When I submit a data request I get 

Debug: internal, implementation, error 
    TypeError: Uncaught error: Cannot read property 'crumb' of null
    at generate (/Users/$ME/Developer/pipeline/node_modules/crumb/lib/index.js:159:34)

The index.js of the hapi server asks for this:

server.register(
        {
            register: require('crumb'),
            options: {
                restful: true
            }
        },
        (err) => {
            if (err) {
                throw err;
            }
        }
    );

and the restful requests are 

const env = require("../../config/environment"),
    httpreq = require('request');
module.exports = [
    {
        method: 'GET',
        path: '/generate',
        config: {
          auth: false
        },
        handler: function (request, reply) {
            return reply(
                { crumb: request.server.plugins.crumb.generate(request, reply) }
            );
        }
    },
    {
        method: 'PUT',
        path: '/crumbed',
        handler: function (request, reply) {
            console.log('crumb put has happened')
            console.log(request);
            return reply('../../node_modules/crumb/lib/index.js');
                   // it says crumb route, meaning this? 
        }
    }
];

(fun fact, I never see 'crumb put has happened' when PUT-ing to /crumbed, the 500 previously mentioned hits first).

Is this a bug with the generate function, or have I just royally failed to configure crumb?

stongo commented 8 years ago

your PUT route should now just be a normal route protected by crumb (no need to reply with that index.js file)

make sure your request to the PUT route (or any PUT, POST, DELETE, PATCH route) contains the header X-CSRF-Token: {value-you-got-from-generate-route}

lock[bot] commented 4 years ago

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.