> On 29 Nov 2014, at 17:08, Justin Maat <[email protected]> wrote: > > Hi , > > I'm very new to Node so please forgive me if this is a noob question. I'm > trying to use convert this project on github over to use ejs views , but > struggling to understand how they're creating the csrf token. > > Seed project I'm using - > https://github.com/sahat/hackathon-starter > > Uses lusca for csrf generation > https://github.com/krakenjs/lusca > > > The code I'm seeing in their seed proejct (at least what I think is relevant) > > var csrf = require('lusca').csrf(); > > /** > * CSRF whitelist. > */ > > //app.js > var csrfExclude = ['/url1', '/url2']; > > //original project uses jade > app.set('views', path.join(__dirname, 'views')); > app.set('view engine', 'jade'); //i'm going to change this to ejs, but > don't know where to get the csrf value(below) from > > app.use(function(req, res, next) { > // CSRF protection. > if (_.contains(csrfExclude, req.path)) return next(); > csrf(req, res, next); > }); > app.use(function(req, res, next) { > // Make user object available in templates. > res.locals.user = req.user; > next(); > }); > app.use(function(req, res, next) { > // Remember original destination before login. > var path = req.path.split('/')[1]; > if (/auth|login|logout|signup|fonts|favicon/i.test(path)) { > return next(); > } > req.session.returnTo = req.path; > next(); > }); > > //route controllers > app.get('/', homeController.index); > > > > //in separate controller file - home.js > > exports.index = function(req, res) { > res.render('home', { > title: 'Home' > }); > }; > > > //inside their jade file - this is converted to html tag --- <meta > name="csrf-token" content="cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4="> > meta(name='csrf-token', content=_csrf) > > //so value _csrf is converted to cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4= > > My confusion is where is the _csrf tag being pulled from? I tried to grep > that keywork through all the files and don't actually see it set anywhere > (might be missing something?). I'm looking through my inspector and able to > see that a session variable is set req.session._csrfSecret = nLzJqL3YIAJVzA== > , but this doesn't look to be the same key as used above. Based on the > /8OS4 I'm thinking the value is actually concatenated somewhere. > > My question is - in the jade template, where does this _csrf value come from? > I don't see where jade is grabbing it from in the js code anywhere (I don't > see _csrf set in the response anywhere). > > Or what's the normal way to create and persist the csrf value using lusca?
With the middleware loaded, it generates a token and stores it in res.locals: see https://github.com/krakenjs/lusca/blob/master/lib/csrf.js#L33 (Line 20 defaults the key to _csrf, and the highlighted line adds the token to the locals) -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/6304CD04-1D56-4466-8391-41FF15328810%40nbtsc.org. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME cryptographic signature
