Develop Reference

NodeJS csrf protection gives ForbiddenError invalid csrf token only on one POST request form

I have been unsuccessfully trying to find a solution on Google for the past several hours for the following issue:
I have csurf set up and working well. It works for POST requests related to signing up/in users. I am trying to create a form in the user profile, that updates the user's data, but when I hit submit, I get ForbiddenError: invalid csrf token.
On further testing, the csrt token is created on the profile page, but for some reason, it is invalid.
(I have only recently picked up programming, I'm willing to provide additional information if I have missed something.)
Tools used:
Node.js v10.16.3
Express v4.17.1
ejs v2.7.1
csurf v1.10.0
Express session v1.16.2
Passport v^0.4.0
cookie-parser 1.4.4
body-parser v1.19.0
My app.js
let express = require("express"),
app = express(),
bodyParser = require("body-parser"),
cookieParser = require('cookie-parser'),
session = require("express-session"),
mongoose = require("mongoose"),
passport = require("passport"),
flash = require('connect-flash'),
validator = require('express-validator'),
LocalStrategy = require("passport-local"),
csrf = require('csurf'),
csrfProtection = csrf({ cookie: true }),
MongoStore = require('connect-mongo')(session);
let indexRoutes = require('./routes/index');
let userRoutes = require('./routes/user');
let User = require("./models/user");
// APP CONFIGURATION
mongoose.connect("mongodb://localhost:27017/azax", { useNewUrlParser: true, useUnifiedTopology: true, }).then(() => {
console.log("Connected to MongoDB");
}).catch((error) => {
console.log("Something is wrong...");
});
require('./config/passport');
// View engine setup
app.set("view engine", "ejs");
app.use(express.static(__dirname + "/public"));
// Initial setup
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(validator());
// Session setup
app.use(cookieParser());
app.use(session({
secret: 'somesecretforbytox',
resave: false,
saveUninitialized: false
}));
app.use(flash());
// Initialize passport
app.use(passport.initialize());
app.use(passport.session());
app.use(csrf());
// CSRF
app.use(function (req, res, next) {
var token = req.csrfToken();
res.cookie('XSRF-TOKEN', token);
res.locals.csrfToken = token;
next();
});
app.use(function (req, res, next) {
res.locals.currentUser = req.user;
res.locals.session = req.session;
next();
});
// ======================
// Connect to route files
// ======================
app.use('/user', userRoutes);
app.use(indexRoutes);
app.listen(3033, function () {
console.log("Listening at port 3033...");
});
My passport.js:
let passport = require('passport');
let User = require('../models/user');
let LocalStrategy = require('passport-local').Strategy;
passport.serializeUser(function (user, done) {
done(null, user.id);
});
passport.deserializeUser(function (id, done) {
User.findById(id, function (err, user) {
done(err, user);
});
});
passport.use('local-signup', new LocalStrategy({
usernameField: 'email',
passwordField: 'password',
passReqToCallback: true
}, function (req, email, password, done) {
req.checkBody('username', 'Invalid username').notEmpty();
req.checkBody('email', 'Invalid email').notEmpty().isEmail();
req.checkBody('password', 'Invalid password').notEmpty().isLength({ min: 4 });
let errors = req.validationErrors();
if (errors) {
let messages = [];
errors.forEach(function (error) {
messages.push(error.msg);
});
return done(null, false, req.flash('error', messages));
}
User.findOne({ 'email': email }, function (err, user) {
if (err) {
return done(err);
}
if (user) {
return done(null, false, { message: 'Вече има акаунт с този имейл.' })
}
let username = req.body.username;
let newUser = new User();
newUser.username = username;
newUser.email = email;
newUser.password = newUser.encryptPassword(password);
newUser.country = 'България';
newUser.save(function (err, result) {
if (err) {
return done(err);
}
return done(null, newUser);
});
});
}));
passport.use('local-signin', new LocalStrategy({
usernameField: 'email',
passwordField: 'password',
passReqToCallback: true
}, function (req, email, password, done) {
// req.checkBody('username', 'Invalid username').notEmpty();
req.checkBody('email', 'Invalid email').notEmpty();
req.checkBody('password', 'Invalid password').notEmpty();
let errors = req.validationErrors();
if (errors) {
let messages = [];
errors.forEach(function (error) {
messages.push(error.msg);
});
return done(null, false, req.flash('error', messages));
}
User.findOne({ 'email': email }, function (err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false, { message: 'Акаунтът не е намерен.' });
}
if (!user.validPassword(password)) {
return done(null, false, { message: 'Грешна парола.' });
}
return done(null, user);
});
}));
HTML...:
<form action="/user/profile" method="POST" class="form-validate form-horizontal" enctype="multipart/form-data">
<fieldset>
<legend>Edit address</legend>
<!-- email -->
<div class="control-group">
<div class="control-label">
<label id="jform_email1-lbl" for="jform_email" class="hasPopover required" title="" data-content="Enter new email address." data-original-title="Email Address">
Email<span class="star"> *</span></label>
</div>
<div class="controls">
<input type="email" name="email" class="validate-email required" id="jform_email" value="<%= (typeof currentUser.email != 'undefined' ? currentUser.email : '') %>" size="30" autocomplete="email" required aria-required="true">
</div>
</div>
<!-- name -->
<div class="control-group">
<div class="control-label">
<label id="jform_fname-lbl" for="jform_fname" class="hasPopover required" title="" data-content="Enter new name." data-original-title="Name">
Name<span class="star"> *</span></label>
</div>
<div class="controls">
<input type="text" name="firstName" id="jform_fname" value="<%= (typeof currentUser.firstName != 'undefined' ? currentUser.firstName : '') %>" class="required" size="30" required aria-required="true">
</div>
</div>
</fieldset>
<div class="form-actions">
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
<button type="submit" class="btn btn-primary validate">
<span>Save</span>
</button>
<a class="btn" href="/" title="Cancel">Cancel</a>
</div>
</form>
user.js:
let express = require('express'),
router = express.Router(),
csrf = require('csurf'),
csrfProtection = csrf(),
passport = require('passport');
router.use(csrfProtection);
let User = require("../models/user");
// user profile
router.get("/profile", isLoggedIn, csrfProtection, function (req, res) {
res.render("user/profile", { csrfToken: req.csrfToken(), currentUser: req.user });
});
router.post('/profile', (req, res) => {
updateRecord(req, res);
res.redirect('/profile');
});
// update user data
function updateRecord(req, res) {
User.findOne({ _id: req.user.id }, (err, doc) => {
doc.name = req.body.name;
doc.save(function (err, doc) {
});
});
}
router.get("/profile/edit", isLoggedIn, csrfProtection, function (req, res) {
res.render("user/edit", { csrfToken: req.csrfToken(), currentUser: req.user });
});
// sign up form works with csrf
// signup form
router.get("/signup", csrfProtection, function (req, res) {
let messages = req.flash('error');
res.render("user/signup", { csrfToken: req.csrfToken(), messages: messages, hasErrors: messages.length > 0 });
});
// ... more routes
module.exports = router;
// middleware
function isLoggedIn(req, res, next) {
if (req.isAuthenticated()) {
return next();
}
res.redirect('/user/login');
}

What worked for me was adding the below hidden field to every form:
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
and sending the token to every get request to the template page displaying the form.
{csrfToken: req.csrfToken()}
like
router.get('/user/login',function(req,res){
res.render('pages/login', {csrfToken: req.csrfToken()});
})
this fixed the error in whole app.

passport.js Login Not Working

I am using mongodb and mongoose as my database, i am able to register users but once registered can't login .As I click login, it keep on loading and never stops. I searched the internet for an answer but couldn't find it. Hoping for a positive reply.
I am trying to figure it out, but I had no success.
Here is the code:
auth.js(contains login function)
router.route('/login')
.get((req, res, next)=>{
let context = {}
res.render('login', context)
})
.post(passport.authenticate('local',{
successRedirect: '/',
failureRedirect:'/login'
}));
users.js(database file)(i am using mongodb)
const mongoose = require('mongoose');
const crypto = require('crypto');
let userSchema = new mongoose.Schema({
email:{
type:String,
unique:true,
required:true,
},
name:{
type:String,
required:true,
},
hash:String,
salt:String,
facebookId:String
});
userSchema.methods.setPassword = function (password){
this.salt = crypto.randomBytes(16).toString('hex');
this.hash = crypto.pbkdf2Sync(password, this.salt, 1000, 64, 'sha1').toString('hex');
}
userSchema.methods.validPassword = function(password){
let hash = crypto.pbkdf2Sync(password, this.salt, 1000, 64, 'sha1').toString('hex');
return this.hash === hash;
}
module.exports = mongoose.model('User', userSchema);
passport.js
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
passport.serializeUser(function(user, done){
done(null, user.id);
});
passport.deserializeUser(function(id, done){
User.findById(id, function(err, user){
done(err, user);
});
});
passport.use(new LocalStrategy({
usernameField:'email'
},
function(username, password, done){
User.findOne({email:username, function(err, user){
if(err) return done(err);
if(!user){
return done(null, false,{
message:'incorrect username and password'
});
}
if(!user.validPassword(password)){
return done(null, false, {
message: 'incorrect username and password'
});
}
return done(null, user);
}});
}
));
register.hbs(Html file)
<h3>New Account</h3>
<div class="mdl-grid center">
<form method="post" class="registerForm">
{{#each errorMessages}}
<div class="dialog mdl-cell mdl-cell--3-offset-desktop mdl-cell--1-offset-tablet mdl-cell--6-col">
{{this.msg}}
</div>
{{/each}}
<div class="mdl-textfield mdl-js-textfield mdl-textfield--floating-label mdl-cell mdl-cell--6-col">
<input class="mdl-textfield__input" type="text" id="name" name='name' value="{{ name }}">
<label class="mdl-textfield__label" for="name">First Name</label>
</div>
<div class="mdl-textfield mdl-js-textfield mdl-textfield--floating-label mdl-cell mdl-cell--6-col">
<input class="mdl-textfield__input" type="email" id="email" name='email' value="{{ email }}">
<label class="mdl-textfield__label" for="email">Email</label>
</div>
<div class="mdl-textfield mdl-js-textfield mdl-textfield--floating-label mdl-cell mdl-cell--6-col">
<input class="mdl-textfield__input" type="password" id="pass" name='password' value="{{ password }}">
<label class="mdl-textfield__label" for="password">Password</label>
</div>
<div class="mdl-textfield mdl-js-textfield mdl-textfield--floating-label mdl-cell mdl-cell--6-col">
<input class="mdl-textfield__input" type="password" id="c_pass" name='c_pass' value="{{ c_pass }}">
<label class="mdl-textfield__label" for="c_pass">Confirm Password</label>
</div>
<button class="mdl-button mdl-js-button mdl-button--raised mdl-button--colored mdl-cell mdl-cell--6-col" type="submit">
Register
</button>
<div>or</div>
<a class="mdl-button mdl-js-button mdl-button--raised mdl-button--colored mdl-cell mdl-cell--6-col" href='/auth/facebook'>
Sign In with Facebook
</a>
</form>
</div>
app.js(main file)
var createError = require('http-errors');
var express = require('express');
var path = require('path');
var cookieParser = require('cookie-parser');
var logger = require('morgan');
const bodyParser = require('body-parser');
const expressValidator = require('express-validator');
const mongoose = require('mongoose');
const passport = require('passport');
const session = require('express-session');
require('./passport');
const config = require('./config');
var indexRouter = require('./routes/index');
var authRouter = require('./routes/auth');
mongoose.connect(config.databaseConn, { useNewUrlParser: true });
global.User = require('./models/user.js');
var app = express();
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'hbs');
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(expressValidator());
app.use(cookieParser());
app.use(session({
secret:config.sessionKey,
resave:false,
saveUninitialized:true,
cookie:{secure:true}
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(express.static(path.join(__dirname, 'public')));
app.use((req, res,next)=>{
if(req.isAuthenticated()){
res.locals.user =req.user;
}
next();
});
app.use('/', indexRouter);
app.use('/', authRouter);
This is not the complete code. Please refer the link below for complete code.
https://github.com/satyamdhawan/collaborative_editor
Please review the complete code on GitHub.

Can you check if changing this:
passport.use(new LocalStrategy({
usernameField:'email'
},
function(username, password, done){
User.findOne({email:username, function(err, user){
if(err) return done(err);
if(!user){
return done(null, false,{
message:'incorrect username and password'
});
}
if(!user.validPassword(password)){
return done(null, false, {
message: 'incorrect username and password'
});
}
return done(null, user);
}});
}
to this:
passport.use(
'local',
new LocalStrategy(
{usernameField: 'email'},
(email, password, done) => {
User.findOne({where: {email: email}})
.then(user => {
if(!user){
return done(null, false, {message: 'Incorrect username and password. '});
}
return user.validPassword(password) ?
done(null, user) :
done(null, false, {message: 'Incorrect username and password. '});
})
.catch(() => done(null, false, {message: 'Incorrect username and password. '}))
}
)
)
makes a diference

passport authentication always fails

I'm trying to setup a simple login page using express framework , mongodb and passport for authentication.
My authentication always goes to the failstate. Where am I wrong ?
my sever.js:
var express = require("express");
var app = express();
var bodyParser = require('body-parser');
var cors = require('cors');
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
//var router = express.Router();
var path = require('path');
var mongoose = require('mongoose');
var User = require('./model');
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(cors());
app.use(passport.initialize());
app.use(passport.session());
passport.use(new LocalStrategy(
function(username, password, done) {
users.findOne({
username : 'username'
}, function(err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false);
}
if (user.password != password) {
return done(null, false);
}
return done(null, user);
});
}
));
app.post('/login',
passport.authenticate('local', { failureRedirect: '/error' }),
function(req, res) {
res.redirect('/success?username='+req.user.username);
});
//app.use("/",router);
//app.use(bodyParser());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(cors());
app.get('/success', (req, res) => res.send("Welcome "+req.query.username+"!!"));
app.get('/error', (req, res) => res.send("error logging in"));//ALWAYS LAND HERE
passport.serializeUser(function(user, cb) {
cb(null, user.id);
});
/*passport.deserializeUser(function(id, cb) {
User.findById(id, function(err, user) {
cb(err, user);
});
});
*/
//app engine
app.set('view engine', 'ejs');
app.set('views', path.join(__dirname, 'views'));
mongoose.connect('mongodb://localhost:27017/UserSchema');
/*
router.use(function (req,res,next) {
console.log("/" + req.method);
next();
});*/
app.get("/",function(req,res){
res.render('index');
});
app.post("/user",function (req, res) {
var u = new User();
//console.log(req.body);
u.email = req.body.email;
u.name = req.body.name;
u.password = req.body.password;
//p.photo = req.body.photo;
u.save(function (err) {
if (err) {
res.send(err);
}
res.render('login');
});
});
app.get("/login",function (req, res) {
res.render('login');
});
app.get("/all",function (req, res) {
User.find(function (err, products) {
if (err) {
res.send(err);
}
res.send(products);
});
});
/*
router.get("/about",function(req,res){
res.sendFile(path + "about.html");
});
router.get("/contact",function(req,res){
res.sendFile(path + "contact.html");
});
app.use("*",function(req,res){
res.sendFile(path + "404.html");
});
*/
app.listen(3000,function(){
console.log("Live at Port 3000");
});
sorry for the junk comments
here is my mongoose schema (model.js):
var mongoose = require('mongoose');
var Schema = mongoose.Schema;
var UserSchema = new Schema({
email: String,
name: String,
password: String,
//photo: String,
});
module.exports = mongoose.model('User', UserSchema);
my login.ejs :
<!DOCTYPE html>
<html>
<<title>Login</title>
<body>
<form action="/login", method="post">
Email:<br>
<input type="text" name="username">
<br>
Password:
<br>
<input type="text" name="password">
<br><br>
<input type="submit" value="Submit">
</form>
</body>
</html>
and my registration page which is able to register and insert in db:
<!DOCTYPE html>
<html>
<body>
<form action="/user", method="post">
Email:<br>
<input type="text" name="email">
<br>
Name:<br>
<input type="text" name="name" >
<br>
Password:
<br>
<input type="text" name="password">
<br><br>
<input type="submit" value="Submit">
</form>
<a href="/login"/><input type="submit" value="Login">
</body>
</html>

You imported your MongoDB User model as:
var User = require('./model');
However, you are calling the .findOne() method on "users"
passport.use(new LocalStrategy(
function(username, password, done) {
users.findOne({
username : 'username'
}, function(err, user) {
Should it not be User.findOne()
If that doesn't resolve the issue then you should elaborate more on what you mean by "my application always go to the failstate".

Node.js app.post for passport-local signup form not working

I'm trying to setup passport local sign-in but the form doesn't do anything when submitted.
My app.js code:
var express = require('express');
var app = express();
app.use(express.static(__dirname + '/public'));
var credentials = require('./credentials.js');
app.use(require('cookie-parser')(credentials.cookieSecret));
app.use(require('body-parser').urlencoded({extended: false}));
var session = require('express-session');
app.use(session({
resave: false,
saveUninitialized: true,
secret: 'keyboard cat'
}));
var passport = require('passport');
app.use(passport.initialize());
app.use(passport.session());
app.disable('x-powered-by');
var handlebars = require('express-handlebars').create({defaultLayout:'main'});
app.engine('handlebars', handlebars.engine);
app.set('view engine', 'handlebars');
app.set('port', process.env.PORT || 3000);
app.post('/login', function(req, res){console.log("body parsing", req.body)});
app.get('/login', function(req, res) {
res.render('login');
});
The form html at /login for sign-ins:
<form action="/login" method="post">
<div>
<label>Username:</label>
<input type="text" name="username"/>
</div>
<div>
<label>Password:</label>
<input type="password" name="password"/>
</div>
<div>
<button type="submit">Submit</button>
</div>
</form>
When I fill in username and password nothing prints out into the console from the post request. What do I have wrong?

You have to serialize and deserialize the user details to make the user authenticated.
Here's and example.
services.js
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
const User = require('../models/user');
//serialize and deserialize
passport.serializeUser(function(user, done) {
done(null, user._id);
});
passport.deserializeUser(function(id, done) {
User.findById(id, function(err, user) {
done(err, user);
});
});
//middleware
passport.use('local-login', new LocalStrategy({
usernameField: 'email',
password: 'password',
passReqToCallback: true
}, (req, email, password, done) => {
User.findOne({ email: email.toLowerCase() }, function(err, user) {
if (err) return done(err);
if (!user) {
return done(null, false, req.flash('loginMessage', 'No user has been found'));
}
if (!user.comparePassword(password)) {
return done(null, false, req.flash('loginMessage', 'Oops! Wrong Password.'));
}
return done(null, user);
});
}));
//custom function to validate
exports.isAuthenticated = function(req, res, next) {
if (req.isAuthenticated()) {
return next();
}
res.redirect('/login');
}
and once you do the serializing, you have to actually apply the process to the router. i.e, make the user details enter passport.
In your router file:
const passportConfig = require('services.js');
Then you can simply access the data via req.user

I found that removing this AMP js script solves the issue. For some reason it breaks the post requests.
<script async src="https://cdn.ampproject.org/v0.js"></script>

how to create session using node.js?

I want to create session for my pages, when give a url like http://localhost:3000/pages/profile it will goes to that page without logged in. What should i do now to fix this problem.
node.js
module.exports = function(app, express, passport){
var router = express.Router();
passport.use(new LocalStrategy({
usernameField: 'username',
passwordField: 'password'},
function(username, password, done) {
User.findOne({ name : username}, function(err, user) {
if (!user){
return done(null, false,{message: 'Incorrect username' });
}
if(user){
var validPassword = user.comparePassword(password);
if(!validPassword){
return done(null, false,{message: 'Incorrect password' });
}
}
return done(null, user);
});
}
));
router.post('/pages/auth/login', function(req, res, next) {
passport.authenticate('local', function(err, user, info) {
if (user === false) {
console.log("login error ");
return res.json({
success:false,
message: info.message,
});
} else {
console.log("login success");
return res.json({
success:true,
//message: 'Login Success',
});
}
})(req, res, next);
});
}
controller
function LoginController($http, $location, Auth, $rootScope)
{
var vm = this;
vm.submitPost = function(userData){
$http({
url: 'http://localhost:7200/api/pages/auth/login',
method: 'POST',
data: userData
}).then(function(res) {
if(res.data.success){
$location.path('/pages/profile');
} else {
vm.message=res.data.message;
$location.path('/pages/auth/login');
}
}, function(error) {
console.log(error);
alert(error.data);
});
};
}
login.html
<form name="loginForm">
<div class="alertmessage" >{{vm.message}}</div>
<md-input-container flex md-no-float>
<input ng-model="vm.form.username" placeholder="Username" translate
translate-attr-placeholder="LOGIN.USERNAME" name="username" required="true">
<div ng-messages="loginForm.username.$error" ng-show="loginForm.username.$touched">
<div ng-message="required">This field is required</div>
</div>
</md-input-container>
<md-input-container flex md-no-float>
<input ng-model="vm.form.password" type="password" placeholder="Password" translate
translate-attr-placeholder="LOGIN.PASSWORD" name="password" required="true">
<div ng-messages="loginForm.password.$error" ng-show="loginForm.password.$touched">
<div ng-message="required">This field is required</div>
</div>
</md-input-container>
<div class="remember-forgot-password" layout="row" layout-sm="column"
layout-align="space-between center">
<md-checkbox class="remember-me" ng-model="data.cb1" aria-label="Remember Me">
<span translate="LOGIN.REMEMBER_ME">Remember Me</span>
</md-checkbox>
<a ui-sref="app.pages_auth_forgot-password" class="forgot-password md-accent-color"
translate="LOGIN.FORGOT_PASSWORD">Forgot Password?</a>
</div>
<md-button class="md-raised md-accent" aria-label="LOG IN" translate="LOGIN.LOG_IN"
translate-attr-aria-label="LOGIN.LOG_IN"
ng-click="vm.submitPost(vm.form);">
LOG IN
</md-button>
</form>

I have a Node.js project with sessions and in my index.js I have the following:
var session = require('express-session');
var MongoStore = require('connect-mongo')(session);
app.use(session({
secret: config('session_secret'),
store: new MongoStore({ mongooseConnection: mongoose.connection }),
resave: true,
saveUninitialized: true
}));
app.use(passport.initialize());
app.use(passport.session());
If you don't use MongoDB you can drop the "store" element. Then it uses the default store which is MemoryStore.
To prevent non-authenticated users accessing a page you can do this:
router.get('/secure-page', isLoggedIn, function(req, res) {
res.json({secure: "page"});
});
function isLoggedIn(req, res, next) {
// if user is authenticated in the session, carry on
if (req.isAuthenticated()) {
return next();
}
else {
// redirect to login page.
res.redirect('/login');
}
}

One way is storage values the session with express session, and then interceptade each route with middleware as verify if user is logged or not, somelike this...
Middleware autentic:
module.exports = function(req, res, next) {
if(!req.session.user) {
return res.redirect('/');
}
return next();
};
req.session.user is a variable create in session in login controller for storage username.
And intercept the route, verifying with user is logged:
...
app.get('pages/profile', autentic, controller.function);
...
If user is not logged will redirect to home page.
But, I suggest you to use passport.js:
Passport is authentication middleware for Node.js. Extremely flexible
and modular, Passport can be unobtrusively dropped in to any
Express-based web application. A comprehensive set of strategies
support authentication using a username and password, Facebook,
Twitter, and more.
See the docs for learn how to use and search here in the stack overflow too.