这是authcontroller.js
module.exports.login_post = async (req, res) => {
const { _csrf, email, password } = req.body;
console.log(_csrf, req.csrfToken());
if (!_csrf || _csrf !== req.csrfToken()) {
return res.status(403).send('Invalid CSRF token');
}
try {
user = await User.login_user(email, password);
const token = create_token(user.email);
res.cookie('jwt', token, { httpOnly: true, maxAge: maxAge * 1000 });
res.redirect('/welcome');
}
catch (err) {
var errors = handleErrors(err);
console.log(errors);
res.render('login', { error: true })
}
}
authroutes.js
router.get('/login', auth_controller.login_get);
router.post('/login', auth_controller.login_post);
server.js(省略了一些行,但所有库都已导入)
const csurf = require('csurf');
var authroutes = require('./routes/authroutes');
var app = express();
app.use(express.static('public'));
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(cookieParser());
// Initialize CSRF protection middleware
const csrfProtection = csurf({ cookie: true });
app.use(csrfProtection);
//listen for requests here
app.listen(3000);
console.log('Server started on port 3000');
// reigster view engine
app.set('view engine', 'ejs');
app.set('views', 'views');
//routes
app.use(index);
app.use(authroutes);
login.ejs(包含在内)
<form action="/login" method="POST">
<input type="hidden" name="_csrf" value="<%- csrfToken %>">
做了所有这些,但是传入的CSRFtoken(_csrf)与req.csrfToken()不一样,有谁知道如何解决这个问题?
尝试删除中间件,但导致整个服务器崩溃