DaTebe DaTebe - 4 months ago 17
Node.js Question

CSRF Mismatched Token

I have a problem with mismatching csrf token in KeystoneJS.
I use this in my routes file:

keystone.pre('routes', keystone.security.csrf.middleware.validate);
keystone.pre('routes', keystone.security.csrf.middleware.init);


In my client side code I set a x-csrf-token header with jQuery:

$.ajaxSetup({ headers: { 'x-csrf-token' : '{{csrf_token_value}}' } });


Now I send a post request to a route defined in my routes file. The csrf token in my request header and my cookie are the same. What am I missing?

Many thanks in advance!
Daniel

Answer

The solution for me was to make a meta-tag and use it to fill my ajaxSetup method.

<meta name="csrf-token" content="{{csrf_token_value}}">

$.ajaxSetup({
    headers: {
        'x-csrf-token': $('meta[name="csrf-token"]').attr('content')
    }
});

Now also the token send in my header and cookie are different (maybe the one in the cookie is encrypted by KeystoneJS?).

I don't understand why it makes a difference if I put the token directly in my ajaxSetup method or the meta-tag?

I would be nice if some could explain it to me. It would definitely impove this answer as only the 'how' is adresed and not the 'why'.

Comments