vuejs csrf nodejs express solve it, how to! Nothing without GOD!
Here is the thing:
vue.js - VueJS and express pass csrf token to post - Stack Overflow
and Big Thanks to: Express.js and Vue.js – secure forms using CSRF token – Lukasz Tkacz devBlog
const express = require('express');
const csrf = require('csurf')
const cookieParser = require('cookie-parser')
const cors = require('cors')
const app = express()
const csrfProtection = csrf({ cookie: true })
// const cors = require('cors')
app.use(express.json())
var corsOptions = {
origin: 'http://localhost:8081',
optionsSuccessStatus: 200, // some legacy browsers (IE11, various SmartTVs) choke on 204
credentials: true,
}
app.use(cors(corsOptions))
// app.use(cors(corsOptions))
app.use(cookieParser())
app.use(express.urlencoded({ extended: false }))
// app.set('view engine', 'ejs')
// app.disable('x-powered-by')
// app.set('trust proxy', 1) // trust first proxy
// app.use(function(req, res, next) {
// res.header('Access-Control-Allow-Origin', 'http://localhost:8081');
// res.header('Access-Control-Allow-Credentials', 'true');
// res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
// next();
// });
app.get('/csrf', csrfProtection, (req, res) => {
//res.status(200).send({ 'csrfToken': req.csrfToken() })
res.locals._csrf = req.csrfToken();
return res.json({ csrfToken: req.csrfToken() });
})
app.post('/process', csrfProtection, (req, res, next) => {
console.log(`Message received: ${req.body.name}`);
//console.log('req: ',req)
//console.log('req.cookies1: ',req.cookies)
//console.log('req.cookies2: ',req.cookies.cookie)
//var cookie = req.cookies
//console.log('cookie: ',cookie)
console.log('req.body.name: ',req.body.name)
// console.log('req.body: ',req.body.cookies)
//res.send({'name': req.body.name })
//res.json({'name': req.body.data})
})
const port = 3131
app.listen(3131, () => {
console.log(`app listening on port ${port}`)
})
<template>
<form v-on:submit.prevent="process">
<input name="_csrf" v-model="csrfToken">
Name
<input type="text" v-model="name">
<button type="submit">Submit</button>
</form>
</template>
<script>
import axios from "axios"
export default {
name: 'Test',
data() {
return {
csrfToken: null,
name: null,
}
},
methods: {
getcsrf() {
//console.log('name: ',this.name)
axios.create({withCredentials: true}).get("http://localhost:3131/csrf")
.then((response) => {
console.log('response: ', response)
axios.defaults.headers.common['X-CSRF-TOKEN'] = response.data.csrfToken
this.csrfToken = response.data.csrfToken
console.log('csrfToken: ',this.csrfToken)
})
.catch((err) => {
console.log('err_getcsrf: ',err)
})
},
process() {
console.log('csrfToken: ',this.csrfToken)
console.log('name: ',this.name)
// const data = {
// 'csrfToken': this.csrfToken,
// 'name': this.name,
// }
const data = {
'name': this.name,
}
//first attempt csrf
axios.create({withCredentials: true}).post("http://localhost:3131/process", data)
.then((response) => {
console.log('response: ', response)
})
.catch((err) => {
console.log('err_axios: ',err)
})
//2 attempt csrf
// Read the CSRF token from the <meta> tag
//var form = document.forms[0]
//var token = form.querySelector('input[name="_csrf"]')
// var token = this.csrfToken
// console.log('token: ',token)
// // Make a request using the Fetch API
// fetch('http://localhost:3131/process', {
// mode: 'no-cors',
// method: "post",
// //credentials: 'same-origin', // <-- includes cookies in the request
// credentials: 'include',
// headers: {
// 'CSRF-Token': token // <-- is the csrf token as a header
// },
// body: {
// name: this.name
// }
// })
},
},
mounted () {
this.getcsrf()
}
}
</script>
Comments
Post a Comment