Search code examples
node.jscsrfbraintree

Braintree CSRF token missing

I am attempting to add Braintree's drop-in UI in node.js. It looks like it should be simple, but I am new to both Braintree and node and having some issues! First, I created a new Braintree gateway, which is being generated correctly. Then I created a server side route that is generating a token from Braintree.

  app.route('/client_token').get(function(req, res) {
    console.log(gateway);
    gateway.clientToken.generate({}, function (err, response) {
      res.send({clientToken: response.clientToken});
    });
  })

Then I created the client side controller, which is accessing the token and allows me to pop up the drop-in ui. This is all working.

(function(){

class CheckoutComponent {
  constructor($http) {
    this.$http = $http;
  }

  $onInit() {
    this.$http({
      method: 'GET',
      url: '/client_token'
    }).then(function successCallback(response) {
        braintree.setup(
          response.data.clientToken,
          "dropin", {
            container: "payment-form"
        });
      }, function errorCallback(response) {
      });
  }
}

angular.module('toroApp')
  .component('checkout', {
    templateUrl: 'app/checkout/checkout.html',
    controller: CheckoutComponent
  });

})();

This is where I get stuck. The drop-in ui form should then make a post request to '/checkout' and the payment should go through! Here is my code for that, and the drop-in ui html.

Controller

  app.route('/checkout').post(function (req, res) {
    var transactionErrors;
    var amount = 10; // In production you should not take amounts directly from clients
    var nonce = req.body.payment_method_nonce;

    gateway.transaction.sale({
      amount: amount,
      paymentMethodNonce: nonce
    }, function (err, result) {
      if (result.success || result.transaction) {
        res.redirect('checkouts/' + result.transaction.id);
      } else {
        transactionErrors = result.errors.deepErrors();
        req.flash('error', {msg: formatErrors(transactionErrors)});
        res.redirect('checkouts/new');
      }
    });
  });

HTML

<form id="checkout" method="post" action="/checkout">
  <div id="payment-form"></div>
  <input type="submit" value="Pay $10">
</form>

<script src="https://js.braintreegateway.com/js/braintree-2.25.0.min.js"></script>

And then everything breaks... Any ideas? I am also new to StackOverflow, so any feedback on the format and content in this question is appreciated.

GET /client_token 200 492.478 ms - -
Error: CSRF token missing
    at checkCsrf 
POST /checkout 403 23.809 ms - -
Solution

  • The problem was Lusca! If you enabled Lusca in an express config file, you need to disable it in development.