Closed HariHaraBalan closed 9 years ago
This is—more generally—a concern with middleware. The same patterns for selectively calling middleware apply here just the same as with any other middleware. For more info on those patterns, check the documentation.
Specifically, in the express documentation about app.use
:
path [in
app.use(path, fn)
] can be a string representing a path, a path pattern, a regular expression to match paths, or an array of combinations of the aforementioned path objects.
... and in the meddleware documentation about the route
option:
route (string, RegExp, optional) - An express route against which the middleware should be registered. Please note that—if configuring meddleware with json files—you'll need to use something like shortstop with shortstop-regex to convert a string to RegExp.
That said, regarding csrf specifically, the implementation is separate from the middleware and can be called independently (assuming you're using the same csrf-specific secret key for lusca and the token generation bit). I would make the argument that there really shouldn't be a case for which you'd need to but the default implementation is available in lusca/lib/token.
Lastly, the implementation of the token generation / validation is configurable:
impl Function - Optional. Custom implementation to generate a token.
For scenarios, where we need to disable CSRF for particular POST page, we wont be able to add CSRF token for the following request.
Either of the following enhancement would help