Error pages

[mike-engel]

Is there a way to present custom error pages such as a CSRF token mismatch to the user? Right now, express/lusca just prints the stack trace. Having a way to customize the template would be great.

[jasisk]

lusca has no opinion on error handling. It follows the express pattern of letting error-handling middleware do what it needs to.

The short explanation: when you call the continuation in a middleware, you can pass it an argument. If that argument is anything but 'route', express assumes you're passing along an error and shortcircuits your middleware chain to the next error-handling middleware. An error-handling middleware is just a middleware with an arity of 4 (err, req, res, next, for example). Here's the express documentation on error-handling.

If lusca csrf validation fails, we just call the continuation with the 403 you're seeing in the stack trace. The stack trace being printed is just express' default error-handler kicking in.

If you want to do something else, try adding a middleware (after you other middleware and route definitions) that does something like this:

function handleCsrfFailure(err, req, res, next) {
  if (err.message === 'CSRF token mismatch') {
    console.log(err.stack || err);
    // you could res.render here if you want a custom template but I'll just `send`:
    res.send('ugh. csrf mismatch.');
  } else {
    next(err);
  }
}

[jasisk]

Closing this issue but feel free to continue the conversation with any questions or comments.

[mike-engel]

Thanks @jasisk. Seems simple enough—I'll have to try it when I get home.

[jasisk]

No problem. Let me know if you have any trouble.