Search code examples
javascriptnode.jsexpresscsrf

ExpressJS: Misconfigured CSRF

I'm newbie in Node.js and Express and I'm trying to generate a security token using CSURF module. First, I have made a test using the documentation of the module and with only one file, for example, index.js works fine, but then, I have to try to separate the code in two files index.js and routes-api.js and it doesn't work and I don't know why.

index.js This file requires "routes-api.js"

//Creación de un servidor con express
const express = require("express");
const app = express();  //Inicializamos express

//Accedemos a otros módulos
const morgan = require("morgan");
const bodyParser = require("body-parser");
const jwt = require("jsonwebtoken");

//Accedemos a propiedades de configuración
const config = require("./config");

//Rutas
const routes = require("./routes");
const routesAPI = require("./routes-api");

//Settings
app.set("app-name", config.server);
app.set("port", config.port);
app.set("super-secret", config.secret);

//Middlewares
// use body parser so we can get info from POST and/or URL parameters
app.use(bodyParser.urlencoded({extended: false}));
app.use(bodyParser.json());
app.use(morgan("dev")); //Log request to the console

app.use((req, res, next) => {
    console.log("Pasamos por la segunda función!!!");
    next();
});

//Routing
app.use("/api", routesAPI);
app.use(routes);

//Server
app.listen(app.get("port"), () => {
    console.log("Servidor " +  app.get("app-name") + " escuchando!!!");
});

routes-api.js

var cookieParser = require('cookie-parser');
var csrf = require('csurf');
var bodyParser = require('body-parser');
var express = require('express');
const path = require("path");
const app = express();
const router = express.Router();

// setup route middlewares
var csrfProtection = csrf({ cookie: true });
var parseForm = bodyParser.urlencoded({ extended: false });

// parse cookies
// we need this because "cookie" is true in csrfProtection
app.use(cookieParser());

router.get("/", csrfProtection, (req, res) => {
    console.log("crsf: " + req.csrfToken());
    res.sendFile(path.join(__dirname + '/send.html'), { csrfToken: req.csrfToken() });    
});

module.exports = router;

So, what am I doing wrong in routes-api.js file to get a misconfigured csrf error?

Solution

  • It looks like there's a new app in routes-api.js that's different than the existing app in index.js?

    Maybe the routesAPI module should export a function that adds a router to an app.