how to bypass/avoid crsf on API post?

In a node application with ExpressJS we have CRSF middleware enabled. This works great, however we have some routes starting with /api and accepting POST request which fail (forbidden) because there is no CRSF token of course. How can we bypass/avoid CRSF for /api posts?

Answers


You can conditionally pass inside of middleware, so one option is to look to a pattern like this:

function yourMiddleware(req, res, next) {
  if ( null !== req.path.match(/^\/api/) ) {
    next();
  }
  //your CRSF behavior here
}

What about registering those routes before the CSRF middleware? Like:

var express = require('express');
var app = express();

app.use(express.bodyParser());
app.use(express.cookieParser('your-secret'));
app.use(express.session());
app.use('/api', require('path to your module that does not need csrf'));
app.use(express.csrf());
app.use('/othermount', require('path to your module that needs csrf'));

Edit: Expanded code example to clarify what I was thinking.


Need Your Help

Game Center leaderboards in spritekit

ios7 sprite-kit game-center

I'm trying to present my leaderboards from my main menu class but I'm getting some errors. Here's my code,

how to initialize nested arrays

c

What is the correct syntax to initialize the following 2 level of nested arrays ?