Trouble with CSRF resulting in CSRF mismatch from AngularJS

363 views
Skip to first unread message

Gregory Pierce

unread,
Aug 20, 2015, 5:46:18 PM8/20/15
to sails.js
I've been trying to follow the documentation on SailsJS security and was implementing CSRF protection when I came across a very difficult problem:

I have turned on CSRF:

module.exports.csrf = true;

I have configured the settings:

module.exports.csrf = {
   grantTokenViaAjax: true,
}

I am requesting the csrfToken from the web service in my angular application app.run and putting the _csrf into the default POST headers:


        $http(
        {
            url: $rootScope.serverRootUri + '/csrfToken',
            method: 'GET'
        } ).success( function( data, status, header, config )
        {
            $log.info("[CSRF] Received token ", data._csrf );
            $rootScope.csrfToken = data._csrf;

            $http.defaults.headers.post['_csrf'] = $rootScope.csrfToken;

            $log.info( '[CSRF] Header CSRF TOKEN - ', $http.defaults.headers.post['_csrf'] );

        })
        .error( function( data, status, header, config )
        {
            $log.info("[CSRF] Unable to get token from ", $rootScope.serverRootUri, data );
        });

And now I am sending along my $http request - I've tried to shove the _csrf into the headers here and I can see it in the Firebug output in a Request header:

                $http(
                    {
                        url: $rootScope.serverRootUri + '/apiCall
                        method: 'POST',
                        withCredentials: true,
                        data: {
                            data: $rootScope.fooBar,
                        },
                        headers: {
                            '_csrf': $rootScope.csrfToken
                        }
                    } ).success( function ( data, status, header, config )
                    {
                        $location.url('/happyDance');

                        deferred.resolve( data );
                    } )
                    .error( function ( data, status, header, config )
                    {
                        $location.url('/error');

                        deferred.reject( data );
                    } );


However I am always always getting the 403 back from Sails with a CSRF mismatch. I'm having a hard time figuring out what I'm missing as I've followed the docs and added in stuff in every place I think it might be looking for it, but still I get the CSRF mismatch. Going a bit nutty. Any thoughts? I'm using version 0.11 of sails.

coryrob...@gmail.com

unread,
Aug 20, 2015, 7:33:52 PM8/20/15
to Gregory Pierce, sails.js
Fastest resolution IMO is go dig in the sails files and throw console logs in callbacks where csrf is being checked.

Sent from my iPhone

Ambroise Dhenain

unread,
Aug 27, 2015, 12:36:10 PM8/27/15
to Cory _, Gregory Pierce, sails.js
Are you sure that the CSRF is sent with you POST requests? Did you see it in the network panel for instance? If you do get a CSRF and if it is sent during POST requests and if it gets back as a 403, then I guess you should dig up more into it like coryrobinson suggested, directly using logs in sails core somewhere.
--
Cordialement,

M. Ambroise Dhenain.
Reply all
Reply to author
Forward
0 new messages