Geek Answers Handbook

Error: CSRF token is missing, hackathon-starter plus AngularJS

I integrate AngularJS into hackathon-starter. This was done as I mentioned it here with the following tags test.html and test.controller.js

<div>
    The record: {{record}}
</div>

<div align="right">
    <button class="btn btn-lg btn-primary" ng-click="createRecord()" onclick="window.location.href='/order/shipping'">
        <i class=""> Create record</i>
    </button>
</div>

test.controller.js

(function () {

'use strict';
var injectParams = ['$scope', '$location', '$http'];

function TestController($scope, $location, $http) {

    $scope.record = {
        interId: 1,
        sku: '107k',
        category: 'Useful'
    };

    function createRecord(record) {
        return $http.post('/order/create', record).then(function (response) {
            return response.data;
        })
    }

    $scope.createRecord = function () {

        var record = $scope.record;

        createRecord(record)
            .then(function (data) {
                if (data.success) {
                    return $location.url('/shipping');
                }
                alert('Something wrong...');
            });
    }
};

TestController.$inject = injectParams;

angular.module('miniApp')
    .controller('TestController', TestController);
}());

It works if csrf is set to false, for example:

 app.use(lusca({
    csrf: false,
    xframe: 'SAMEORIGIN',
    xssProtection: true }));

If csrf is set to true, then there is an error: Error: CSRF token is missing

One of the solutions to this problem is to put a request on the path "/ order / create" to the lusca configuration, for example:

app.post('/order/create', passportConf.isAuthenticated, orderController.postCreateOrder);
app.use(lusca({
csrf: true,

...

But this solution is not very elegant.

URL- CSRF. , , . ( )?

, csrf test.controller.js. , . , , - .

, , .

+4
1

, , lusca CSRF- , hackathon-starter. , , , , " " . , , app.use(lusca({})) app.use() lusca , :

var csrfMiddleware = lusca.csrf();
app.use(function(req, res, next) {
    // Paths that start with /foo don't need CSRF
    if (/^\/foo/.test(req.originalUrl)) {
        next();
    } else {
        csrfMiddleware(req, res, next);
    }
});

app.use(lusca.csp({ /* ... */}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 }));
app.use(lusca.xssProtection(true));
+6

More articles:


All Articles