Make sure that the CSRF Token code is on the top of the other Universal code such as the error 500 page, 400 error page or the session User code.
Inside a Async code snipper you need to use next wrapping that error, outside.
You should avoid infinite loops triggered through the error handling middleware as we had it initially here in this code
app.use((error, req, res, next) => { // res.redirect('/500'); res.status(500).render('500', { pageTitle: 'Error', path: '/500', isAuthenticated: req.session.isLoggedIn });
Second
We can throw the error in synchronous code places like this one but inside of promise, then or catch blocks or inside of callbacks, you have to use next around the error.
Like: This is the User Code in our Application
app.use((req, res, next) => {
if (!req.session.user) {
return next();
}
User.findById(req.session.user._id)
.then(user => {
if (!user) {
return next();
}
req.user = user;
next();
})
.catch(err => {
next(new Error(err))
});
});
CSRF Token code looks like this
app.use((req, res, next) => {
res.locals.isAuthenticated = req.session.isLoggedIn;
res.locals.csrfToken = req.csrfToken();
next();
});
Check the blog for more information about the CSRF Token
Commentaires