Error: CSRF token missing

[makromat]

Hi guys,

after update lusca I got error :

Error: CSRF token missing

var csrfExclude = ['/webhooks']; // is not working any more ?

[grawk]

Please can you share what version of lusca you're using?

Also, share some more details about your use case. It looks like you're trying to exclude an endpoint from csrf validation. Can you share your full middleware and lusca configuration?

[makromat]

Hi @grawk,

"lusca": "^1.1.1",

var lusca                = require('lusca');
app.use(lusca({
    csrf: true,
    csp: { /* ... */},
    xframe: 'SAMEORIGIN',
    p3p: 'ABCDEF',
    hsts: {maxAge: 31536000, includeSubDomains: true, preload: true},
    xssProtection: true
}));

var csrfExclude = ['/webhooks'];

app.use(function(req, res, next) {
  // CSRF protection.
  if (_.contains(csrfExclude, req.path)) return next();
  lusca.csrf(req, res, next);  // before it was working like csrf(req, res, next);
});

yes I'm using route /webhooks for receive data from paypal... So There can not be csrf protection enabled.

[jasisk]

Are you using Kraken?

[grawk]

Presumably there is some additional code somewhere which tries to except routes starting with /webhooks. Can you please share that?

[makromat]

I have edited previous message..

[jasisk]

You are, in most cases, calling the csrf middleware twice.

Your first app.use(lusca{}) is already performing the csrf check since you have csrf: true.

Try removing one or the other app.use and see if the issue is resolved for non-excluded routes. If so, let me know and we can go through a better way of excluding routes from csrf protection.

[jasisk]

(Accidentally closed. Reopened.)

[makromat]

ok so it has to be like :

var lusca = require('lusca');

var csrfExclude = ['/webhooks'];
app.use(function(req, res, next) {
  if (_.contains(csrfExclude, req.path)) return next();
  lusca.csrf(req, res, next);  // not working like this... How can I call next() after csrf is verified ?
});

app.use(lusca.csp({ /* ... */}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 }));
app.use(lusca.xssProtection(true));

[makromat]

What is better way to exluding csrf protection ? By the way thanks a lot !!!

[jasisk]

If you're using kraken, we have created a small demo project demonstrating a couple of middleware registration patterns. That should point you in the right direction (specifically, the blacklist pattern, though I greatly prefer a sub-app where appropriate).

Otherwise, in this case, you should be alright to turn off csrf in the first instance, and conditionally include it in the second (similarly to what you already have).

It would be the first snippet you showed, except changing csrf: true to csrf: false.

Note that, in your example, you're passing lusca.csrf req, res, and next which is broken. lusca.csrf is a factory function—it returns a middleware when invoked.

Also, depending on how your app is written and its needs, you could simply pre-empt csrf protection altogether. Something like this:

var webhook = require('./webhook');
// `./webhook` could simply return an `express.Router` instance containing your webhook logic

app.use(lusca({ /* ... your opts but with `csrf: false` ... */ });
app.use('/webhooks', webhook);
app.use(lusca.csrf());
// ... all routes defined from this point are csrf protected.

[nmarcetic]

@jasisk Thank you for this proposal , working like a charm ;) For people who don't use krakenjs. There is a lot discussion about this online , this is a only clean and workable solution I found. Long live middleware chain ;)