Home > other >  Avoiding CSRF Error message while enabling API endpoints (next() does not bypass the error message)
Avoiding CSRF Error message while enabling API endpoints (next() does not bypass the error message)

Time:10-30

I have this middleware here.

        /*
        * Middleware for rendering 404 page on invalid csrf token
        */
        this.app.use((err: any, req: Request, res: Response, next: NextFunction) => {
            if (err.code === this.constants.CSRF.errCode) {
                let bypass = false;
                if (req.headers.referer || req.originalUrl || req.url) {
                    let is_referer_url     = '';
                    let is_originalUrl_url = '';
                    let is_url             = '';
                    // @ts-ignore
                    is_referer_url         = req.headers.referer;
                    is_url                 = req.url;
                    is_originalUrl_url     = req.originalUrl;
                    return REST_ENDPOINTS.forEach((endpoint) => {
                        if (is_referer_url == endpoint
                            || is_originalUrl_url == endpoint
                            || is_url == endpoint) {
                            bypass = true;
                            return this.redirect(res, endpoint);
                        }
                    });
                }
                if (!bypass) {
                    this.invalidCsrfResponse(req, res);
                }
                // this.invalidCsrfResponse(req, res);
                next()
            }
            if (err.code !== this.constants.CSRF.errCode)  {
                next(err);
            }
        })

the Code above just checks if any of the api endpoints include the api urls in the array REST_ENDPOINTS

the file of the array:

export const REST_ENDPOINTS = [
    "/get_example/",
    "/patch_example/",
    "/delete_example/"
]

The Problem is that it actually works but not exactly how it should, because in the code above the csrf error keeps poping up and I cant get rid of it.

this.app.use((err: any, req: Request, res: Response, next: NextFunction) => {
            if (err.code === this.constants.CSRF.errCode) {
                // this.invalidCsrfResponse(req, res);
                next()
            }
            if (err.code !== this.constants.CSRF.errCode)  {
                next(err);
            }
        })

this code above bypass the csrf error completely, like I have not implement csrf at all. and it works like a charm, just not for api endpoints (not from same origin client requests) ???

I tried to disable CSRF error message because I need to disable it for API endpoints and it worked just not for another origin only for same origin client requests.

CodePudding user response:

I just had to use the csrf constructor without registering it in the app.use() function, and then passing it by for the normal app routes as middleware and ** not passing it as middleware to all the api's endpoints**.

Thread is solved.

    /*
    * CSRF Enabled
    */
    var CSRF = Csrf({
        sessionKey:    this.constants.CSRF.sessionKey,
        cookie:        this.constants.CSRF.cookie,
        ignoreMethods: this.constants.CSRF.ignoreMethods,
    });
    
    //? Deploying API's endpoints and bypass csrf on requesting these endpoints ?\\
    this.app.use((req: Request, res: Response, next: NextFunction) => {
        if (REST_ENDPOINTS.includes(req.headers.referer ?? '')
         || REST_ENDPOINTS.includes(req.originalUrl ?? '')
         || REST_ENDPOINTS.includes(req.url ?? '')) {
            return next();
        }
        CSRF(req, res, next);
    });

Page link:https//www.codepudding.com/other/592820.html

Prev:Refresh function every time there is a change in the cloud
Next:High-level organization of a parser with a monadic parsing library
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding