Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to send CSRF information to the server? #51

Open
mzarella opened this issue Mar 16, 2015 · 0 comments
Open

How to send CSRF information to the server? #51

mzarella opened this issue Mar 16, 2015 · 0 comments

Comments

@mzarella
Copy link

How do I ensure that the proper csrf information is sent to the server? Currently my login handler looks like this:

  var app = angular.module('app');

  app.controller('LoginCtrl', function($scope, $state, UserService, $http, $cookies) {
    OAuth.initialize('LONG_STRING');
    var token = null;
    $http.get('http://api.example.com/oauth/token')
    .success(function(generatedToken, status) {
      return token = generatedToken;
    }).error(function(errorMessage, status) {
      return console.log("l8 LoginCtrl\n " + status + ": " + errorMessage);
    });

    // fired when touches the Google login button
    $scope.googleLogin = function() {
      return OAuth.popup('google', {
        cache: false,
        state: token
      }).done(function(result) {
        // so far so good, but this is where the request is invalid
        $http.post("http://api.example.com/oauth/signin")
        .success(function(data, status) {
          debugger;
        }).error(function(data, status) {
          debugger;
        });
      }).fail(function(error) {
        return console.log('error: ', error);
      });
    };

It's when I send a POST request to /oauth/signin that my server is unhappy:
ForbiddenError: invalid csrf token

My express server code looks like this:

  var MongoStore, app, bodyParser, compress, connectAssets, contactController, cookieParser, csrf, csrfProtection, errorHandler, express, expressValidator, flash, homeController, logger, methodOverride, mongoose, multer, oauth, parseForm, passport, passportConf, path, secrets, session, userController;

  express = require('express');

  cookieParser = require('cookie-parser');

  csrf = require('csurf');

  compress = require('compression');

  session = require('express-session');

  bodyParser = require('body-parser');

  logger = require('morgan');

  errorHandler = require('errorhandler');

  methodOverride = require('method-override');

  multer = require('multer');

  MongoStore = require('connect-mongo')(session);

  flash = require('express-flash');

  path = require('path');

  mongoose = require('mongoose');

  passport = require('passport');

  expressValidator = require('express-validator');

  connectAssets = require('connect-assets');

  oauth = require('oauthio');

  csrfProtection = csrf({
    cookie: true
  });

  parseForm = bodyParser.urlencoded({
    extended: false
  });

  homeController = require('./controllers/home');

  userController = require('./controllers/user');

  contactController = require('./controllers/contact');

  secrets = require('./config/secrets');

  passportConf = require('./config/passport');

  app = express();

  mongoose.connect(secrets.db);

  mongoose.connection.on('error', function() {
    console.error('MongoDB Connection Error. Please make sure that MongoDB is running.');
  });

  app.set('port', process.env.PORT || 3000);

  app.set('views', path.join(__dirname, 'views'));

  app.set('view engine', 'jade');

  app.use(compress());

  app.use(connectAssets({
    paths: [path.join(__dirname, 'public/css'), path.join(__dirname, 'public/js')]
  }));

  app.use(logger('dev'));

  app.use(bodyParser.json());

  app.use(multer({
    dest: path.join(__dirname, 'uploads')
  }));

  app.use(expressValidator());

  app.use(methodOverride());

  app.use(cookieParser('secret'));

  app.use(session({
    resave: true,
    saveUninitialized: true,
    secret: secrets.sessionSecret,
    store: new MongoStore({
      url: secrets.db,
      autoReconnect: true
    })
  }));

  app.use(passport.initialize());

  app.use(passport.session());

  app.use(flash());

  app.use(csrf(), function(req, res, next) {
    res.cookie('XSRF-TOKEN', req.csrfToken());
    return next();
  });

  app.use(function(req, res, next) {
    res.locals.user = req.user;
    return next();
  });

  app.use(express["static"](path.join(__dirname, 'public'), {
    maxAge: 31557600000
  }));


/* I'm not using any of this right now
  app.get('/', homeController.index);

  app.get('/login', userController.getLogin);

  app.post('/login', userController.postLogin);

  app.get('/logout', userController.logout);

  app.get('/forgot', userController.getForgot);

  app.post('/forgot', userController.postForgot);

  app.get('/reset/:token', userController.getReset);

  app.post('/reset/:token', userController.postReset);

  app.get('/signup', userController.getSignup);

  app.post('/signup', userController.postSignup);

  app.get('/contact', contactController.getContact);

  app.post('/contact', contactController.postContact);

  app.get('/account', passportConf.isAuthenticated, userController.getAccount);

  app.post('/account/profile', passportConf.isAuthenticated, userController.postUpdateProfile);

  app.post('/account/password', passportConf.isAuthenticated, userController.postUpdatePassword);

  app.post('/account/delete', passportConf.isAuthenticated, userController.postDeleteAccount);

  app.get('/account/unlink/:provider', passportConf.isAuthenticated, userController.getOauthUnlink);
*/

  app.get('/oauth/token', csrfProtection, function(req, res) {
    var token = oauth.generateStateToken(req.session);
    return res.send(token);
  });

  app.post("/oauth/signin", parseForm, csrfProtection, function(req, res) {
    var code = req.body.code;
    return oauth.auth("google", req.session, {
      code: code
    }).then(function(request_object) {
      res.send(200, "The user is authenticated");
    }).fail(function(e) {
      console.log(e);
      return res.send(400, "Code is incorrect");
    });
  });

  app.use(errorHandler());

  app.listen(app.get("port"), function() {
    console.log("Express server listening on port %d in %s mode", app.get("port"), app.get("env"));
  });

  module.exports = app;

Here's the error code:

root@example:~/example-api# node index
Express server listening on port 3000 in development mode
GET /oauth/token 200 24.690 ms - 24
ForbiddenError: invalid csrf token
  at verifytoken (/root/example-api/node_modules/csurf/index.js:263:11)
  at csrf (/root/example-api/node_modules/csurf/index.js:93:7)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at /root/example-api/node_modules/express-flash/lib/express-flash.js:31:7
  at /root/example-api/node_modules/express-flash/node_modules/connect-flash/lib/flash.js:21:5
  at /root/example-api/node_modules/express-flash/lib/express-flash.js:22:5
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at SessionStrategy.strategy.pass (/root/example-api/node_modules/passport/lib/middleware/authenticate.js:318:9)
  at SessionStrategy.authenticate (/root/example-api/node_modules/passport/lib/strategies/session.js:67:10)
  at attempt (/root/example-api/node_modules/passport/lib/middleware/authenticate.js:341:16)
  at authenticate (/root/example-api/node_modules/passport/lib/middleware/authenticate.js:342:7)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at initialize (/root/example-api/node_modules/passport/lib/middleware/initialize.js:62:5)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at session (/root/example-api/node_modules/express-session/index.js:386:7)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at cookieParser (/root/example-api/node_modules/cookie-parser/index.js:34:14)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at methodOverride (/root/example-api/node_modules/method-override/index.js:77:5)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at /root/example-api/node_modules/express-validator/lib/express_validator.js:233:12
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at /root/example-api/node_modules/multer/index.js:218:19
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at jsonParser (/root/example-api/node_modules/body-parser/lib/types/json.js:103:37)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at logger (/root/example-api/node_modules/morgan/index.js:136:5)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at middleware (/root/example-api/node_modules/connect-assets/index.js:43:7)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at compression (/root/example-api/node_modules/compression/index.js:212:5)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at expressInit (/root/example-api/node_modules/express/lib/middleware/init.js:23:5)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at query (/root/example-api/node_modules/express/lib/middleware/query.js:28:5)
  at Layer.handle [as handle_request] (/root/example-api/node_modules/express/lib/router/layer.js:82:5)
  at trim_prefix (/root/example-api/node_modules/express/lib/router/index.js:302:13)
  at /root/example-api/node_modules/express/lib/router/index.js:270:7
  at Function.proto.process_params (/root/example-api/node_modules/express/lib/router/index.js:321:12)
  at next (/root/example-api/node_modules/express/lib/router/index.js:261:10)
  at Function.proto.handle (/root/example-api/node_modules/express/lib/router/index.js:166:3)
  at EventEmitter.app.handle (/root/example-api/node_modules/express/lib/application.js:170:10)
  at Server.app (/root/example-api/node_modules/express/lib/express.js:28:9)
  at Server.EventEmitter.emit (events.js:98:17)
  at HTTPParser.parser.onIncoming (http.js:2108:12)
  at HTTPParser.parserOnHeadersComplete [as onHeadersComplete] (http.js:121:23)
  at Socket.socket.ondata (http.js:1966:22)
  at TCP.onread (net.js:525:27)

POST /oauth/signin 403 22.926 ms - -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mzarella