Node.js: CSRF is not getting invalidated after use
I am facing a really annoying issue that the CSRF security token is not getting invalidated after it has been used.
I tried to submit the form several times with the same values and csrf token but it worked. Whereas, I should have received the 403 error.
import csrf from 'csrf';
import express from 'express';
...
const App = express();
// CSRF tokens
const tokens = new csrf({ cookie: true });
const csrfToken = tokens.secretSync({ saltLength: 128 });
App.use((req, res, next) => {
...
// Validating CSRF token
if (
(['get', 'options'].includes(req.method.toLowerCase()) === false) &&
! tokens.verify(csrfToken, req.body._csrf) &&
! tokens.verify(csrfToken, req.headers['x-csrf-token'])
) {
throw new Error('CSRF: Invalid or missing token');
}
req.csrfToken = tokens.create(csrfToken);
next();
});
...
controller.js
const csrfToken = async (req, res) => await res.json({
csrf: req.csrfToken
});
export {
csrfToken,
};
It seems that I was under the wrong impression that API's data submission routes, such as: POST, PUT, PATCH, etc., should also be protected with the CSRF token in order to enhance the security, just like posting a form via a browser window.
However, while searching for the answer, I came to know that unlike form submission via a web browser, the api data submission do not require the csrf protection as they typically do not rely on the cookies to insure the identity of the user.
If you like to read more then follow this link to the question
- Easier way to update data with node-postgres?
- typescript node.js express routes separated files best practices
- Installing bcrypt on ubuntu error message node api version
- Using UUID In Dynamic Namespace In Socket IO
- Rest Api In Nodejs Express & MySql
- Retrieving User Information from LDAP Active Directory Server with Node.js using ldapjs package
- Automate moving a Chrome window opened by Selenium to a third monitor in Mac OS
- Run mocha tests in test environment?
- How to use multiple request handling functions with Node.js Express?
- Import `path` for Node reacts differently in NestJS
- How to train tensorflow.js on medical data
- Error: Cannot create URL for blob! when converting blob to URL in react native
- Jest No Tests found
- How do I read a JSON file into (server) memory?
- Get Resultset From Query without Meta Information Sequelize
- NPM coverage threshold - settings
- How do I convert an image to a base64-encoded data URL in sails.js or generally in the servers side JavaScript?
- Making a node.js api- a different need
- Node.js JWT refresh token in express middleware
- Why am I getting error "Trying to open unclosed connection."?
- How to have configure _moduleAliases in Express js (Node JS)
- How to detect if a mocha test is running in node.js?
- ValidationException: The table does not have the specified index: GameTitleIndex
- "sls dynamodb start" throws spawn java ENOENT
- How to receive data from html form
- Running NPM scripts sequentially
- How to cache the RUN npm install instruction when docker build a Dockerfile
- Node.js Express how do I send response as javascript or other file type
- My lambda is ending before my code completes and I'm not sure why
- Mongoose deleting (pull) a document within an array, does not work with ObjectID