我正在尝试为我的 nodejs 脚本包含 csrf 令牌保护。生成的令牌并添加到 post 请求的标头,但它得到 Invalid csrf token token
后端脚本
import uuid from 'uuid/v1'
import crypto from 'crypto'
import config from '../../../../config'
var cookieParser = require('cookie-parser')
var bodyParser = require('body-parser')
var csurf = require('csurf')
var csrfProtection = csurf({ cookie: true })
var parseForm = bodyParser.urlencoded({ extended: false })
const app = express( feathers() )
app.use(cookieParser())
app.use(bodyParser.urlencoded({ extended: false }))
app.get('/getcsrftoken',csrfProtection, function (req, res) {
var token = req.csrfToken();
//res.cookie('X-CSRF-TOKEN', token);
//res.locals.csrfToken = token;
//console.log(token)
return res.json({ csrfToken: token });
});
app.put( '/:cartID',parseForm,csrfProtection,async ( req, res ) => {
const {cartID} = req.params
console.log(req.headers['csrf-token'])
try {
const currentUser = await user.findById( castUserId( req.session._id ) )
const accountComplete = isAccountCompleteAndKYCVerified( currentUser )
if ( !accountComplete ) {
return res.status( 400 ).send({error: 'user_account_incomplete'})
}
}
await cart.remove({cartID})
const {items} = req.body
const itemsArray = []
for ( var item of items ) {
itemsArray.push({
cartID,
item : JSON.stringify( await denominations.findById( item.item._id ) ),
userID : req.session._id,
quantity: item.quantity,
})
}
} catch ( e ) {
res.status( 400 ).send({error: e.message})
logger( e )
}
})
前端脚本
import * as Cookies from 'js-cookie'
import { globalStore } from '@/utils/global'
import crypto from 'crypto'
import config from '@/config'
Vue.use(Cookies)
const addToCart = (dataToPass) => {
var items = {}
items.items = dataToPass
const header = (globalStore.token) ? {'authorization':
globalStore.token} : null
return $http(`/user-shopping-cart`, items, 'POST', header)
}
const gettoken = () => {
console.log("token")
const header = (globalStore.token) ? {'authorization':
globalStore.token} : null
return $http(`/user-shopping-cart/getcsrftoken`, null, 'GET', header)
}
const updateToCartQty = async (id, data) => {
const responce = await gettoken();
const header = (globalStore.token) ? {'authorization':
globalStore.token,'X-CSRF-TOKEN': responce.data.csrfToken} : null
return $http(`/user-shopping-cart/${id}`, data,'PUT', header)
}
应要求收到此错误消息'
error: message=invalid csrf token, stack=ForbiddenError: invalid csrf token.
比较 getcsrftoken() 输出和 put 请求头,两者是相同的
{看到几个与这个问题相关的问题,但没有一个能解决这个问题}