I've been struggling with implementing CSRF token generation, and I don't know what I'm doing wrong.
server.js:
// set up ======================================================================
var express = require('express');
var port = process.env.PORT || 8080;
var mongoose = require('mongoose');
var fs = require('fs');
var csrf = require('csurf');
.
.
.
var app = express();
app.use(csrf());
app.use(function(req, res, next) {
res.locals.token = req.csrfToken();
next();
});
.
.
.
login.ejs:
<form action="/login" method="post">
<!--form fields-->
</form>
.
.
.
<input type="hidden" name="_csrf" value="<%= token %>">
When I try to open the login page, I get the following in the node.js console:
token is not defined
.
.
.
GET /login 500 93ms - 1.64kb
\
EDIT: server.js now looks like this:
var express = require('express');
var port = process.env.PORT || 8080;
var mongoose = require('mongoose');
var fs = require('fs');
var csrf = require('csurf');
.
.
.
var app = express();
require('./config/express')(app, __dirname);
require('./config/routes')(app);
app.use(csrf());
app.use(function(req, res, next) {
res.locals.token = req.csrfToken();
next();
});
The login page loads now, but the CSRF token is undefined.