admin管理员组文章数量:1316356
I'm setting up Stripe to work with my sails.js server, and in order to use Stripe's webhooks, I need to disable CSRF for the URLs I provide to Stripe.
Is it possible to make certain URLs exempt from CSRF POST requirements in sails.js? The only configuration I can find for CSRF is to turn it on globally, and looking through the source code for the csrf hook (.js) it looks like if I try to provide a custom object, it just gets replaced with the global settings anyway.
Thanks
I'm setting up Stripe to work with my sails.js server, and in order to use Stripe's webhooks, I need to disable CSRF for the URLs I provide to Stripe.
Is it possible to make certain URLs exempt from CSRF POST requirements in sails.js? The only configuration I can find for CSRF is to turn it on globally, and looking through the source code for the csrf hook (https://github./balderdashy/sails/blob/master/lib/hooks/csrf/index.js) it looks like if I try to provide a custom object, it just gets replaced with the global settings anyway.
Thanks
Share Improve this question edited Jul 21, 2015 at 9:59 Armel Larcier 16k7 gold badges69 silver badges89 bronze badges asked Mar 4, 2015 at 6:30 MurchoMurcho 1056 bronze badges 2- possibly related (expressjs): stackoverflow./questions/13516898/… also related: gist.github./mikermcneil/5737561#sailsconfigcontrollercsrf – timh Commented Mar 4, 2015 at 6:36
- @timh I had looked at that, and you can provide middleware like that in sails.js via policies, however the existing csrf policy would run before the custom one. – Murcho Commented Mar 4, 2015 at 20:50
2 Answers
Reset to default 7So after reading through the csrf hook linked in the question a bit more I managed to work it out.
As of v0.11.0 :
If you try to provide an object with settings in the csrf.js config file, the hook simply overwrites them with "default on" for all settings. The csrf object ends up looking like this
{
grantTokenViaAjax: true,
protectionEnabled: true,
origin: '-',
routesDisabled: '-'
}
In order to add route exemptions to the object, you need to do it after this has been set up, so I did this in config/bootstrap.js. So to add the route "http://yourhost./webhooks/testhook/" :
// In bootstrap.js
sails.config.csrf.routesDisabled = "/webhooks/testhook";
If you want to add more than one hook, you add them in the same string, ma delimited:
// In bootstrap.js
sails.config.csrf.routesDisabled = "/webhooks/testhook,/webhooks/anotherhook";
So Murcho's solution is working but actually, sails v0.11 has a config file just for that :
In config/csrf.js, after the line where you activate csrf protection lies this ments block :
/****************************************************************************
* *
* You may also specify more fine-grained settings for CSRF, including the *
* domains which are allowed to request the CSRF token via AJAX. These *
* settings override the general CORS settings in your config/cors.js file. *
* *
****************************************************************************/
// module.exports.csrf = {
// grantTokenViaAjax: true,
// origin: ''
// }
You just need to add a config object there to extend the defaults :
module.exports.csrf = {
"routesDisabled": "/webhooks/testhook,/webhooks/anotherhook"
}
本文标签: javascriptCan certain URLs be exempt from CSRF in sailsjsStack Overflow
版权声明:本文标题:javascript - Can certain URLs be exempt from CSRF in sails.js? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742000457a2410905.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论