1

我正在尝试为我的 nodejs 脚本包含 csrf 令牌保护。生成的令牌并添加到 post 请求的标头,但它得到 Invalid csrf token token

后端脚本

 import uuid from 'uuid/v1'
 import crypto from 'crypto'
 import config from '../../../../config'

 var cookieParser = require('cookie-parser')
 var bodyParser = require('body-parser')
 var csurf = require('csurf')
 var csrfProtection = csurf({ cookie: true }) 
 var parseForm = bodyParser.urlencoded({ extended: false })

const app = express( feathers() )
app.use(cookieParser())
 app.use(bodyParser.urlencoded({ extended: false }))


  app.get('/getcsrftoken',csrfProtection, function (req, res) {
var token = req.csrfToken();
//res.cookie('X-CSRF-TOKEN', token);
//res.locals.csrfToken = token;
//console.log(token)
return res.json({ csrfToken: token });
 });


app.put( '/:cartID',parseForm,csrfProtection,async ( req, res ) => {
const {cartID} = req.params
console.log(req.headers['csrf-token'])
try {
    const currentUser = await user.findById( castUserId( req.session._id ) )
    const accountComplete = isAccountCompleteAndKYCVerified( currentUser )
    if ( !accountComplete ) {
        return res.status( 400 ).send({error: 'user_account_incomplete'})
    }
    }
    await cart.remove({cartID})
    const {items} = req.body
    const itemsArray = []
    for ( var item of items ) {
        itemsArray.push({
            cartID,
            item    : JSON.stringify( await denominations.findById( item.item._id ) ),
            userID  : req.session._id,
            quantity: item.quantity,
        })
    }

} catch ( e ) {
    res.status( 400 ).send({error: e.message})
    logger( e )
}

})

前端脚本

 import * as Cookies from 'js-cookie'
 import { globalStore } from '@/utils/global'
 import crypto from 'crypto'
 import config from '@/config'

 Vue.use(Cookies)

 const addToCart = (dataToPass) => {
 var items = {}
 items.items = dataToPass

 const header = (globalStore.token) ? {'authorization': 
 globalStore.token} : null
  return $http(`/user-shopping-cart`, items, 'POST', header)
}

 const gettoken = () => { 
 console.log("token")
 const header = (globalStore.token) ? {'authorization':  
 globalStore.token} : null
 return $http(`/user-shopping-cart/getcsrftoken`, null, 'GET', header)

}

const updateToCartQty = async (id, data) => {
const responce = await gettoken();
const header = (globalStore.token) ? {'authorization': 
globalStore.token,'X-CSRF-TOKEN': responce.data.csrfToken} : null
 return $http(`/user-shopping-cart/${id}`, data,'PUT', header)


}

应要求收到此错误消息'

  error:  message=invalid csrf token, stack=ForbiddenError: invalid csrf token.

比较 getcsrftoken() 输出和 put 请求头,两者是相同的

{看到几个与这个问题相关的问题,但没有一个能解决这个问题}

4

0 回答 0