For now, the docs give two examples. Both of them are based on server-side render.

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Need docs and examples for working with single page application. about csurf HOT 3 CLOSED

expressjs commented on April 19, 2024 4

Need docs and examples for working with single page application.

from csurf.

Comments (3)

dougwilson commented on April 19, 2024

Thanks for the suggestion! I don't have any experience with what you mean, so no idea how to write docs on it. If you could contribute docs on this subject, it would certainly be welcome!

from csurf.

mrdulin commented on April 19, 2024

@dougwilson I got ForbiddenError: invalid csrf token on server-side.

This is my front-end request headers:

I set X-CSRF-Token header and withCredentials: true

Here is my server code:

function server() {
  const app = express();
  const PORT = 3000;

  const whitelist = ['http://localhost:4200'];
  app.use(
    cors({
      origin: whitelist,
      credentials: true
    })
  );
  app.use(cookieParser('cookie-secret'));
  app.use((req, res, next) => {
    console.log('cookies: ', req.cookies);
    console.log('req.headers: ', req.headers['x-csrf-token']);
    next();
  });
  app.use(csrf({ cookie: true }));

  app.get('/', (req, res) => {
    res.sendStatus(200);
  });

  app.get('/csrftoken', (req, res) => {
    const csrfToken = req.csrfToken();
    console.log('csrfToken: ', csrfToken);
    res.json({ csrfToken });
  });

  app.post('/api/user', (req, res) => {
    const user = { name: faker.name.findName(), email: faker.internet.email() };
    res.json(user);
  });

  return app.listen(PORT, () => {
    logger.info(`Server is listening on http://localhost:${PORT}`);
  });
}

Can you please take a look? thanks.
Here are my code samples:

https://github.com/mrdulin/expressjs-research/tree/master/src/csrf/angular-sample-client
https://github.com/mrdulin/expressjs-research/tree/master/src/csrf/angular-sample-server

from csurf.

Vasanthkesavan commented on April 19, 2024

I'm also dealing with something similar with angular as frontend. One tool which angular provides is HttpClientXSRF module.

Your imports should look like:

import { BrowserModule } from '@angular/platform-browser';
import { NgModule } from '@angular/core';
import { HttpClientModule } from '@angular/common/http';

import { AppComponent } from './app.component';

@NgModule({
  declarations: [AppComponent],
  imports: [
       BrowserModule, 
       HttpClientModule,
    **HttpClientXsrfModule.withOptions({
      cookieName: 'x-csrf-token',
      headerName: 'x-csrf-token'
    }),**
  ],
  providers: [],
  bootstrap: [AppComponent]
})
export class AppModule {}