New option for csrf

[pjpoirson]

You can disable csrf for a route with module.exports.csrf.routesDisabled

Hi,

I had a problem with our facebook app and csrf. To display the homepage a form is used in Post

The _csrf param can't be passed here. So I need to disable this protection for the page https://game.zombie-outbreak.eu/pregame/facebook/. So I made the change and I add this option in my config/csrf.js : routesDisabled: '/pregame/facebook/'. And now it's ok for my first route call.

Before making these changes I found this "issue": #2096
So I tried to use the solution give by @sgress454

The only way to disable it for a particular route would be to add some custom middleware after the session middleware that checks req.url, and if it matches /upload/image, places the CSRF token in req.params as if it had been send with the request.

It's doesn't work for me.

If I put my custom middleware here

order: [
  'startRequestTimer',
  'cookieParser',
  'session',      
  'bodyParser', 
  'handleBodyParserError',
  'compress',
  'methodOverride',
  'poweredBy',
  '$custom',
  'disableCSFRtoken', // <===
  'router',          
  'www',
  'favicon',
  '404',
  '500'
],

disableCSFRtoken() si called but I can't access to req.csrfToken() or res.locals._csrf too add the csrf value in req.param/body

If I put it after the router middlware disableCSFRtoken() is not called in my case

'router',
'disableCSFRtoken', // <===

[sgress454]

Cool...if you can write a test and put it in here in test/integration/hooks.cors_csrf.test.js, we'd be happy to merge.

[pjpoirson]

Ok, done

CSRF config ::
...
  with CSRF set to {protectionEnabled: true, routesDisabled: '/user'}
    ✓ a POST request on /user without a CSRF token should result in a 200 response 
    ✓ a POST request on /test without a CSRF token should result in a 403 response

[sgress454]

Brilliant, thanks!