0

i building an API to my React Native app. I trying add csrf protection with csurf lib but the doc dont teach how i can ignore my auth route. I have this routes: "/signIn", "/post". Both is "post" method. The code it is like this:

const csrf = require("csurf");

const csrfProtection = csrf({
  cookie: true,
});

route.post("/signIn", csrf({ cookie: true, ignoreMethods: ["POST"] }), Player.signIn);
route.post("/post/:to/:from", csrfProtection, Post.verify, Post.battle);

I imagine that if the user is not authenticated, he does not need a csrf token. But the middleware csrf({ cookie: true, ignoreMethods: ["POST"] }) also ignores the "post" route and generates this error: ForbiddenError: invalid csrf token.

If I remove the middleware from the "signIn" route, the following error occurs: TypeError: req.csrfToken is not a function

How i can ignore the route "signIn" and use the function "res.cookie("_csrf", req.csrfToken());" without making a mistake?

Henrique Ramos
  • 714
  • 8
  • 25
  • Not a direct answer, but [CSRF on log in page is a good and secure practice](https://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) – Eric Wong Oct 01 '20 at 16:50
  • So if I must have a csrf on the login screen, where would the first csrf come from? @EricWong – Henrique Ramos Oct 01 '20 at 16:52
  • On the first login form render, probably in `route.get("/signIn", ....)` – Eric Wong Oct 02 '20 at 14:36

0 Answers0