DaTebe DaTebe - 6 months ago 25
Node.js Question

KeystoneJS CSRF on own pages

I'm searching for an easy way to set an CSRF Token and check it on every POST/PUT/... request.

There is already an mechanism in the AdminUI. Can this be used on the "normal" webpages?

I'm aware of the

keystone.security.csrf.middleware.init
and
keystone.security.csrf.middleware.validate
functions. But where is the best place to call them?

Many thanks in advance!
Daniel

Edit:
I have tried to use

keystone.pre('routes', keystone.security.csrf.middleware.init);

keystone.pre('routes', keystone.security.csrf.middleware.validate);


in my routes file. The token is set in my cookie. Also the cookie is transmitted when I request the server.
But the validate method tells me: "mismatch token". Maybe I have an conceptual misunderstanding. I thought, that this would work out of the box. What am I missing?

Edit2:
I will add the token to my form. I missed this step...

Answer

You can call it as a common middleware, just define it in your routes/index.js file:

keystone.pre('routes', keystone.security.csrf.middleware.init);
Comments