當我添加對CSRF令牌的支持以保持提交的安全性時,我遇到了與我的多部分表單有關的問題。我在我的app.js
文件中將CSRF代全球設置爲我的req
對象,並且除了multipart以外沒有任何其他類型的Web表單存在問題。我已經閱讀了這個與multer有關的常見問題,並且涉及將CSRF與multer設置一起放置,或者將其作爲查詢提交。由於安全原因,我寧願不使用附加查詢的方法,而寧願查看如何修復我的設置以像我的其他表單一樣運行。CSRF和Multer - 無效的CSRF令牌錯誤
錯誤消息:
ForbiddenError: invalid csrf token
at csrf (/Users/user/Desktop/Projects/node/test-app/node_modules/csurf/index.js:112:19)
app.js:
var csrf = require('csurf');
....
//Set CSRF for Form Tokens
app.use(csrf());
app.use(function(req, res, next){
res.locals._csrf = req.csrfToken();
next();
});
路線:
var upload = multer({
storage: multerS3({
s3: s3,
bucket: options.Bucket,
contentType: multerS3.AUTO_CONTENT_TYPE,
acl: options.ACL,
key: function(req, file, cb){
var fileNameFormatted = file.originalname.replace(/\s+/g, '-').toLowerCase();
cb(null, req.user.organizationId + '/' + uploadDate + '/' + fileNameFormatted);
}
}),
fileFilter: function(req, file, cb){
if(!file.originalname.match(/\.(jpg|jpeg|png|gif|csv|xls|xlsb|xlsm|xlsx)$/)){
return cb('One of your selected files is not supported', false);
}
cb(null, true);
}
}).array('fileUpload', 5);
appRoutes.route('/blog/create')
.get(function(req, res){
res.render('pages/app/blog-create.hbs',{
errorMessage: req.flash('error'),
csrfToken: req.csrfToken()
});
})
.post(function(req, res){
upload(req, res, function(err){
if(err){
req.flash('error', err);
res.redirect(req.get('referer'));
return;
}
models.Blog.create({
date: req.body.date,
title: req.body.title,
content: req.body.content,
userId: req.user.userId
}).then(function(){
req.flash('info', 'Blog was successfully created.');
res.redirect('/app');
});
})
});
觀點:
<form action="/app/blog/create" method="post" enctype="multipart/form-data" id="blogSubmission">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
....
</form>