Ahhhh perfect! I somehow looked past this. Thanks so much!
On Saturday, 29 November 2014 17:18:20 UTC-5, Aria Stewart wrote: > > > > On 29 Nov 2014, at 17:08, Justin Maat <[email protected] <javascript:>> > wrote: > > > > Hi , > > > > I'm very new to Node so please forgive me if this is a noob question. > I'm trying to use convert this project on github over to use ejs views , > but struggling to understand how they're creating the csrf token. > > > > Seed project I'm using - > > https://github.com/sahat/hackathon-starter > > > > Uses lusca for csrf generation > > https://github.com/krakenjs/lusca > > > > > > The code I'm seeing in their seed proejct (at least what I think is > relevant) > > > > var csrf = require('lusca').csrf(); > > > > /** > > * CSRF whitelist. > > */ > > > > //app.js > > var csrfExclude = ['/url1', '/url2']; > > > > //original project uses jade > > app.set('views', path.join(__dirname, 'views')); > > app.set('view engine', 'jade'); //i'm going to change this to ejs, but > don't know where to get the csrf value(below) from > > > > app.use(function(req, res, next) { > > // CSRF protection. > > if (_.contains(csrfExclude, req.path)) return next(); > > csrf(req, res, next); > > }); > > app.use(function(req, res, next) { > > // Make user object available in templates. > > res.locals.user = req.user; > > next(); > > }); > > app.use(function(req, res, next) { > > // Remember original destination before login. > > var path = req.path.split('/')[1]; > > if (/auth|login|logout|signup|fonts|favicon/i.test(path)) { > > return next(); > > } > > req.session.returnTo = req.path; > > next(); > > }); > > > > //route controllers > > app.get('/', homeController.index); > > > > > > > > //in separate controller file - home.js > > > > exports.index = function(req, res) { > > res.render('home', { > > title: 'Home' > > }); > > }; > > > > > > //inside their jade file - this is converted to html tag --- <meta > name="csrf-token" content="cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4="> > > meta(name='csrf-token', content=_csrf) > > > > //so value _csrf is converted to cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4= > > > > My confusion is where is the _csrf tag being pulled from? I tried to > grep that keywork through all the files and don't actually see it set > anywhere (might be missing something?). I'm looking through my inspector > and able to see that a session variable is set req.session._csrfSecret = > nLzJqL3YIAJVzA== , but this doesn't look to be the same key as used above. > Based on the /8OS4 I'm thinking the value is actually concatenated > somewhere. > > > > My question is - in the jade template, where does this _csrf value come > from? I don't see where jade is grabbing it from in the js code anywhere > (I don't see _csrf set in the response anywhere). > > > > Or what's the normal way to create and persist the csrf value using > lusca? > > With the middleware loaded, it generates a token and stores it in > res.locals: see > https://github.com/krakenjs/lusca/blob/master/lib/csrf.js#L33 (Line 20 > defaults the key to _csrf, and the highlighted line adds the token to the > locals) > > > -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/d6deaa1c-b31f-4484-9726-63ea8041bee4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
