Hi , I'm very new to Node so please forgive me if this is a noob question. I'm trying to use convert this project on github over to use ejs views , but struggling to understand how they're creating the csrf token.
Seed project I'm using - https://github.com/sahat/hackathon-starter Uses lusca for csrf generation https://github.com/krakenjs/lusca The code I'm seeing in their seed proejct (at least what I think is relevant) var csrf = require('lusca').csrf(); /** * CSRF whitelist. */ //app.js var csrfExclude = ['/url1', '/url2']; //original project uses jade app.set('views', path.join(__dirname, 'views')); app.set('view engine', 'jade'); //i'm going to change this to ejs, but don't know where to get the csrf value(below) from app.use(function(req, res, next) { // CSRF protection. if (_.contains(csrfExclude, req.path)) return next(); csrf(req, res, next); }); app.use(function(req, res, next) { // Make user object available in templates. res.locals.user = req.user; next(); }); app.use(function(req, res, next) { // Remember original destination before login. var path = req.path.split('/')[1]; if (/auth|login|logout|signup|fonts|favicon/i.test(path)) { return next(); } req.session.returnTo = req.path; next(); }); //route controllers app.get('/', homeController.index); //in separate controller file - home.js exports.index = function(req, res) { res.render('home', { title: 'Home' }); }; //inside their jade file - this is converted to html tag --- <meta name="csrf-token" content="cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4="> meta(name='csrf-token', content=_csrf) //so value _csrf is converted to cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4= My confusion is where is the _csrf tag being pulled from? I tried to grep that keywork through all the files and don't actually see it set anywhere (might be missing something?). I'm looking through my inspector and able to see that a session variable is set req.session._csrfSecret = nLzJqL3YIAJVzA== , but this doesn't look to be the same key as used above. Based on the /8OS4 I'm thinking the value is actually concatenated somewhere. My question is - in the jade template, where does this _csrf value come from? I don't see where jade is grabbing it from in the js code anywhere (I don't see _csrf set in the response anywhere). Or what's the normal way to create and persist the csrf value using lusca? Thanks for any help! -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/492009d5-7fad-438b-ac2d-87a92cf8a24c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
