FAQ
Hi ,

I'm very new to Node so please forgive me if this is a noob question. I'm
trying to use convert this project on github over to use ejs views , but
struggling to understand how they're creating the csrf token.

Seed project I'm using -
https://github.com/sahat/hackathon-starter

Uses lusca for csrf generation
https://github.com/krakenjs/lusca


The code I'm seeing in their seed proejct (at least what I think is
relevant)

var csrf = require('lusca').csrf();

/**
  * CSRF whitelist.
  */

//app.js
var csrfExclude = ['/url1', '/url2'];

//original project uses jade
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade'); //i'm going to change this to ejs, but
don't know where to get the csrf value(below) from

app.use(function(req, res, next) {
   // CSRF protection.
   if (_.contains(csrfExclude, req.path)) return next();
   csrf(req, res, next);
});
app.use(function(req, res, next) {
   // Make user object available in templates.
   res.locals.user = req.user;
   next();
});
app.use(function(req, res, next) {
   // Remember original destination before login.
   var path = req.path.split('/')[1];
   if (/auth|login|logout|signup|fonts|favicon/i.test(path)) {
     return next();
   }
   req.session.returnTo = req.path;
   next();
});

//route controllers
app.get('/', homeController.index);



//in separate controller file - home.js

exports.index = function(req, res) {
   res.render('home', {
     title: 'Home'
   });
};


//inside their jade file - this is converted to html tag --- <meta
name="csrf-token" content="cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=">
meta(name='csrf-token', content=_csrf)

//so value _csrf is converted to cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=

My confusion is where is the _csrf tag being pulled from? I tried to grep
that keywork through all the files and don't actually see it set anywhere
(might be missing something?). I'm looking through my inspector and able
to see that a session variable is set req.session._csrfSecret =
nLzJqL3YIAJVzA== , but this doesn't look to be the same key as used above.
  Based on the /8OS4 I'm thinking the value is actually concatenated
somewhere.

My question is - in the jade template, where does this _csrf value come
from? I don't see where jade is grabbing it from in the js code anywhere
(I don't see _csrf set in the response anywhere).

Or what's the normal way to create and persist the csrf value using lusca?


Thanks for any help!

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
To post to this group, send email to nodejs@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/492009d5-7fad-438b-ac2d-87a92cf8a24c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Aria Stewart at Nov 29, 2014 at 10:18 pm

    On 29 Nov 2014, at 17:08, Justin Maat wrote:

    Hi ,

    I'm very new to Node so please forgive me if this is a noob question. I'm trying to use convert this project on github over to use ejs views , but struggling to understand how they're creating the csrf token.

    Seed project I'm using -
    https://github.com/sahat/hackathon-starter

    Uses lusca for csrf generation
    https://github.com/krakenjs/lusca


    The code I'm seeing in their seed proejct (at least what I think is relevant)

    var csrf = require('lusca').csrf();

    /**
    * CSRF whitelist.
    */

    //app.js
    var csrfExclude = ['/url1', '/url2'];

    //original project uses jade
    app.set('views', path.join(__dirname, 'views'));
    app.set('view engine', 'jade'); //i'm going to change this to ejs, but don't know where to get the csrf value(below) from

    app.use(function(req, res, next) {
    // CSRF protection.
    if (_.contains(csrfExclude, req.path)) return next();
    csrf(req, res, next);
    });
    app.use(function(req, res, next) {
    // Make user object available in templates.
    res.locals.user = req.user;
    next();
    });
    app.use(function(req, res, next) {
    // Remember original destination before login.
    var path = req.path.split('/')[1];
    if (/auth|login|logout|signup|fonts|favicon/i.test(path)) {
    return next();
    }
    req.session.returnTo = req.path;
    next();
    });

    //route controllers
    app.get('/', homeController.index);



    //in separate controller file - home.js

    exports.index = function(req, res) {
    res.render('home', {
    title: 'Home'
    });
    };


    //inside their jade file - this is converted to html tag --- <meta name="csrf-token" content="cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=">
    meta(name='csrf-token', content=_csrf)

    //so value _csrf is converted to cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=

    My confusion is where is the _csrf tag being pulled from? I tried to grep that keywork through all the files and don't actually see it set anywhere (might be missing something?). I'm looking through my inspector and able to see that a session variable is set req.session._csrfSecret = nLzJqL3YIAJVzA== , but this doesn't look to be the same key as used above. Based on the /8OS4 I'm thinking the value is actually concatenated somewhere.

    My question is - in the jade template, where does this _csrf value come from? I don't see where jade is grabbing it from in the js code anywhere (I don't see _csrf set in the response anywhere).

    Or what's the normal way to create and persist the csrf value using lusca?
    With the middleware loaded, it generates a token and stores it in res.locals: see https://github.com/krakenjs/lusca/blob/master/lib/csrf.js#L33 (Line 20 defaults the key to _csrf, and the highlighted line adds the token to the locals)


    --
    Job board: http://jobs.nodejs.org/
    New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
    Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
    ---
    You received this message because you are subscribed to the Google Groups "nodejs" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
    To post to this group, send email to nodejs@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/6304CD04-1D56-4466-8391-41FF15328810%40nbtsc.org.
    For more options, visit https://groups.google.com/d/optout.
  • Justin Maat at Nov 29, 2014 at 11:17 pm
    Ahhhh perfect! I somehow looked past this.

    Thanks so much!


    On Saturday, 29 November 2014 17:18:20 UTC-5, Aria Stewart wrote:

    On 29 Nov 2014, at 17:08, Justin Maat <jxm...@gmail.com <javascript:>> wrote:
    Hi ,

    I'm very new to Node so please forgive me if this is a noob question.
    I'm trying to use convert this project on github over to use ejs views ,
    but struggling to understand how they're creating the csrf token.
    Seed project I'm using -
    https://github.com/sahat/hackathon-starter

    Uses lusca for csrf generation
    https://github.com/krakenjs/lusca


    The code I'm seeing in their seed proejct (at least what I think is relevant)
    var csrf = require('lusca').csrf();

    /**
    * CSRF whitelist.
    */

    //app.js
    var csrfExclude = ['/url1', '/url2'];

    //original project uses jade
    app.set('views', path.join(__dirname, 'views'));
    app.set('view engine', 'jade'); //i'm going to change this to ejs, but
    don't know where to get the csrf value(below) from
    app.use(function(req, res, next) {
    // CSRF protection.
    if (_.contains(csrfExclude, req.path)) return next();
    csrf(req, res, next);
    });
    app.use(function(req, res, next) {
    // Make user object available in templates.
    res.locals.user = req.user;
    next();
    });
    app.use(function(req, res, next) {
    // Remember original destination before login.
    var path = req.path.split('/')[1];
    if (/auth|login|logout|signup|fonts|favicon/i.test(path)) {
    return next();
    }
    req.session.returnTo = req.path;
    next();
    });

    //route controllers
    app.get('/', homeController.index);



    //in separate controller file - home.js

    exports.index = function(req, res) {
    res.render('home', {
    title: 'Home'
    });
    };


    //inside their jade file - this is converted to html tag --- <meta
    name="csrf-token" content="cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=">
    meta(name='csrf-token', content=_csrf)

    //so value _csrf is converted to cRcgih7Vl1Ms2Xz0zgIeAyWwQm6s4kp3/8OS4=

    My confusion is where is the _csrf tag being pulled from? I tried to
    grep that keywork through all the files and don't actually see it set
    anywhere (might be missing something?). I'm looking through my inspector
    and able to see that a session variable is set req.session._csrfSecret =
    nLzJqL3YIAJVzA== , but this doesn't look to be the same key as used above.
    Based on the /8OS4 I'm thinking the value is actually concatenated
    somewhere.
    My question is - in the jade template, where does this _csrf value come
    from? I don't see where jade is grabbing it from in the js code anywhere
    (I don't see _csrf set in the response anywhere).
    Or what's the normal way to create and persist the csrf value using
    lusca?

    With the middleware loaded, it generates a token and stores it in
    res.locals: see
    https://github.com/krakenjs/lusca/blob/master/lib/csrf.js#L33 (Line 20
    defaults the key to _csrf, and the highlighted line adds the token to the
    locals)

    --
    Job board: http://jobs.nodejs.org/
    New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
    Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
    ---
    You received this message because you are subscribed to the Google Groups "nodejs" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
    To post to this group, send email to nodejs@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/d6deaa1c-b31f-4484-9726-63ea8041bee4%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupnodejs @
categoriesnodejs
postedNov 29, '14 at 10:10p
activeNov 29, '14 at 11:17p
posts3
users2
websitenodejs.org
irc#node.js

2 users in discussion

Justin Maat: 2 posts Aria Stewart: 1 post

People

Translate

site design / logo © 2022 Grokbase