Develop Reference

Why CSRF is not working in only POST route While working in the rest of other Post routes?

I am getting the CSRF forbidden error. However CSRF is working fine in the rest of the application like post route of logout, signUp, Signin deleteing anything et c..
But when I perform the post action in only one route `/addProduct" I am getting the error Note that I am generating my CSRF token before routes declaration.
I am attaching the main file code and the front end code of addProduct.
Here is my main file code where I am generating token and including it in all routes
app.use(csrfProtection);
app.use(flash());
// USed to include token and isLoggedIn information to render in every page
app.use((req, res, next) => {
res.locals.isLoggedIn = req.session.isLoggedIn;
res.locals.csrfToken = req.csrfToken();
res.locals.user= req.session.user;
next();
});
// app.use((req, res, next) => {
// // throw new Error('Sync Dummy');
// if (!req.session.user) {
// return next();
// }});
app.use(multer({ storage: fileStorage,fileFilter:fileFilter }).single('image'));
app.use(shopRoute);
app.use(authRoute);
app.use('/admin',adminRoute);
app.use(errorController.get404);
This is the front end code for ADD_Product.ejs. Here I am including hidden input as well... to get CSRF value back to check it...
<form action="<%=path%>" enctype="multipart/form-data" method="POST">
<div class="form-group">
<label for="title">Title</label>
<input type="text" class="form-control" id="title" name="title" value="<%=product.title%>" >
</div>
<div class="form-group">
<label for="price">Price</label>
<input type="text" class="form-control" id="price" name="price" value="<%=product.price%>">
</div>
<div class="form-group">
<input type="file" class="form-control-file" id="exampleFormControlFile1" name="image" value="<%=product.imageUrl%>">
</div>
<div class="form-group">
<label for="exampleFormControlTextarea1">Description</label>
<textarea class="form-control" id="exampleFormControlTextarea1" rows="3" name="description" value="<%=product.description%>"></textarea>
</div>
<% if (path=="/admin/edit") { %>
<input type="hidden" name="productId" value="<%=product._id%>">
<% } %>
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
<button type="submit" class="btn btn-primary btn-lg center">+ </button>
</form>

POST request from handlebars form gives 404

I have the following form in my handlebars code:
{{#if contact}}
<form method="POST" action="/contacts/{{contact._id}}">
<input type="text" name="name">
<input type="text" name="phone">
<button>Update Contact</button>
</form>
{{else}}
When the user clicks the button, my browser is redirected to 'localhost:3000/contacts/34634234'
and I get a 404 error.
I checked, and 34634234 is a valid ID.
In my Node routes, I have
router.post('contacts/:id', function(req, res) {
res.render('index');
});
I know res.render('index') works because I've used it in other parts of my code.
However,

Not sure if is because of this, but...
You're missing type="submit" on the button element.
{{#if contact}}
<form method="POST" action="/contacts/{{contact._id}}">
<input type="text" name="name">
<input type="text" name="phone">
<button type="submit">Update Contact</button>
</form>
{{else}}
And you're missing a slash / at the beginning of your route.
router.post('/contacts/:id', function(req, res) {
res.render('index');
});

How do i create a get query in nodeJS based on information contained in checkboxes

I am trying to build an app that lets users find other users with a specific combination of skills. I ask the users to select which skills they are looking for via checkboxes but I'm not sure how to request for the status of that checkbox in my function.
My function currently is:
UserInfo.find()
.where('skill1').equals('')
.where('skill2').equals('')
.where('skill3').equals('')
.limit(10)
.then(function(doc) {
res.render('index', {items: doc});
});
It works properly if I set the equals('') to true or false but I'm not sure how to set it dynamically. My HTML code for the checkboxes is:
<form action="/getskills" method="get">
<div class="input">
<label for="skill1">Skill1</label>
<input type="checkbox" id="skill1" name="skill1" value="skill1"/>
</div>
<div class="input">
<label for="skill2">Skill2</label>
<input type="checkbox" id="skill2" name="skill2" value="skill2"/>
</div>
<div class="input">
<label for="skill3">Skill3</label>
<input type="checkbox" id="skill3" name="skill3" value="skill3"/>
</div>
FIND SKILL
</form>
How can I create and integrate a function to check the value of the checkbox and set the value of the required skill to either true or false?
Thanks in advance for your help.

The problem is that you are using an <a> element to perform the request to the server instead of <input type="submit">. Without a submit button, the elements on your form will not be submitted with the request. Modify your html to this
<form action="/getskills" method="get">
<div class="input">
<label for="skill1">Skill1</label>
<input type="checkbox" id="skill1" name="skill1" value="skill1" />
</div>
<div class="input">
<label for="skill2">Skill2</label>
<input type="checkbox" id="skill2" name="skill2" value="skill2" />
</div>
<div class="input">
<label for="skill3">Skill3</label>
<input type="checkbox" id="skill3" name="skill3" value="skill3" />
</div>
<input type="submit" value="FIND SKILL" />
</form>
then in your Node.js code (I assume you are using express), you can get the checkbox values as query parameters as follows:
//I'm assuming the req parameter is passed in to the express get() method
UserInfo.find()
.where('skill1').equals(req.query.skill1)
.where('skill2').equals(req.query.skill2)
.where('skill3').equals(req.query.skill3)
.limit(10)
.then(function(doc) {
res.render('index', {items: doc});
});

req.body returns empty object on put request

Im trying to update data by using put request
im using method-override package and multer for file upload
im not able to figure out what is causing the problem because
my post route is working fine where objects are getting stored in database from req.body fields and file is getting uploaded
this is my route:
app.put("/browse/:id", function(req, res){
console.log( req.body); // returns empty object
console.log( req.file); //undefined
})
this is the form
<form action="/browse/<%= book._id %>?_method=PUT" enctype="multipart/form-data" method="POST">
<input value="<%= book.image %>" type="file" name="image" >
<input value="<%= book.title %>" type="text" name="title" required>
<textarea name="desc">
<%= book.description %>
</textarea>
<button class="btn btn-success" type="submit"> Update </button>
</form>

Sorry, i guess just forgot to put the upload.single('image') method in there. That solved it for me.

passing get request from bootstrap button

How do I trigger a get request from a bootstrap button? I have the following code:
<form class="navbar-form navbar-right" role="form">
<div class="form-group">
<input type="text" placeholder="Email" class="form-control">
</div>
<div class="form-group">
<input type="password" placeholder="Password" class="form-control">
</div>
<button type="submit" class="btn btn-success">Sign in</button>
<button type="submit" class="btn btn-warning" value="/signup" id="submit">Sign up</button>
</form>
and would like this button to perform a get request with the following value "signup"
I am using a MEAN stack and the routes are set up so when the app is accessed with the get value /signup it goes to the signup page. But I am not able to get the bootstrap 3 button to post a get a request.

On your form you will need the following two attributes:
Action = "{URL TO SEND THE FORM TO}"
Method = "{GET or POST}"
For a signup with a username and password you should really think about doing a POST request so the form element should look like (for a POST request):
<form action="/signup" method="POST" class="navbar-form navbar-right" role="form">
or for a get request:
<form action="/signup" method="GET" class="navbar-form navbar-right" role="form">