Francesco Gramano Francesco Gramano - 3 months ago 25
Node.js Question

SailsJS View Layer Separation with CSRF

I am curious about whether or not, and how, it would be possible to completely separate a sailsJS app from the View Layer. That is to not manage templates, views, client-side JS, and assets in a way that's coupled with what is just meant as a RESTful API in my case. I want to try and deploy two separate repositories that do not need to know how the other works that interact with each other by requests.

I know about the

sails new <apiName> --no-frontend
option but I would also like to incoporate CSRF tokens on my forms that doesn't do it in the suggested
ejs
method with an
<input type='hidden' name='_csrf' value='<%= _csrf %>'>
.

Would it be possible and recommended for my case to expose an endpoint that deals strictly with granting and validating csrf tokens on my sailsJS server?

Answer

You can just scrap everything that has to do with the front-end (--no-frontend is a good start). The csrf hook and GET /csrfToken are still there if you don't generate a front-end, but sails will require a _csrf parameter whenever you POST, PUT, et cetera, if the CSRF hook is enabled.

Within your sails app, whenever you handle a route, you do not have to return res.view() or res.render(); you can return res.json() or anything of that ilk.

For example, we use gulp to manage our assets separately from sails; such that sails only handles API requests, not static files or rendering.

Comments