0

I have a node.js application that is built on top of the hackathon starter framework (which people can demo at http://hackathonstarter.herokuapp.com/).

I would like to set it up such that a person can login on the iOS application and use the web application database.

When I login to the application the request body includes the following, which is what is then used to authenticate the user.

body:
   { _csrf: 'a2OrandomxnpwVOrandomp0u36randomorlv0=',
     email: 'myEmail@gmail.com',
     password: 'myPassword' },

I tried making an ajax request in the console of the site in the following format and it was successful in authenticating me:

$.ajax({
    type:"POST",
    url:"/login",
    data:   { _csrf: 'a2OrandomxnpwVOrandomp0u36randomorlv0=',
     email: 'myEmail@gmail.com',
     password: 'myPassword' },
    dataType:"json",
    success:function(response){
        console.log(response)
    }
});

From this I've concluded (hopefully correctly) that in order to accept the request from an external application the request must include a valid _csrf token, which leads me to the question What will the iOS application's request look like, and where will it get a csrf token that will be valid for my application?

The problem is similar to the following:

How to get CSRF token in iOS?

Community
  • 1
  • 1
maudulus
  • 10,627
  • 10
  • 78
  • 117

1 Answers1

1

The Hackathon Starter framework looks like it's designed for browser-based web applications rather than generic web API requests. For what you're trying to do, you'd want to use API-based authentication (Basic Authentication is the simplest, and this looks like a good tutorial on adding it to express which Hackathon uses).

If you want to use the existing framework as-is, you'll have to do a bit of work on the iOS side. From the link you provided, it looks like the framework is passing the CSRF token in an HTML <meta> tag on the login page:

<meta name="csrf-token" content="9XLjTtpT6jf/HsrXT94GHOeFS4NIgQUTuPpfw=">

In your iOS application, you'll have to first make a request to the login page, scrape the CSRF token from the meta tag, and use that when making your POST request using the _csrf variable.

Unfortunately I'm not familiar with iOS and how you would write the code for the request, but the end result will be similar to what your jQuery example above produces.

gregnr
  • 1,222
  • 8
  • 11
  • what if the web application had an endpoint where the iOS application could go and it would simply return the meta content token? – maudulus May 20 '15 at 20:25
  • Without trying myself, that sounds like it would work. You'd have to add your own view that produces just the CSRF value (looks like they're using Jade templates). I believe `_csrf` is a local variable that can be used by their views (take a look at how they produce the `meta` tag [here](https://github.com/sahat/hackathon-starter/blob/master/views/layout.jade)). – gregnr May 20 '15 at 20:48
  • Another way to go about it is to send the CSRF in a header so you don't have to scrape it. Looks like they use the [lusca](https://github.com/krakenjs/lusca) library which actually claims to provide CSRF headers (see comment [here](https://github.com/krakenjs/lusca/blob/master/lib/csrf.js#L13)), but doesn't actually do it (it just accepts those headers, doesn't produce them). So you'd have to implement that yourself somewhere. – gregnr May 20 '15 at 20:53