Securing Acme Bank Project - CSRF Problems (Node, Express .js)

Hi everyone,

I’ve been following the instructions, watched the help video, looked at the solution code and the documentation and I cant seem to identify my mistake.

When using csurf and the csrfMiddleware I keep getting this error:

ForbiddenError: invalid csrf token
at csrf (C:\Users\aidan\projects\Acme Bank\node_modules\csurf\index.js:112:19)
at Layer.handle [as handle_request] (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\layer.js:95:5)
at next (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\route.js:137:13)
at Route.dispatch (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\route.js:112:3)
at Layer.handle [as handle_request] (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\layer.js:95:5)
at C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\index.js:281:22
at Function.process_params (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\index.js:335:12)
at next (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\index.js:275:10)
at internalNext (C:\Users\aidan\projects\Acme Bank\node_modules\helmet\dist\index.js:142:6)
at xXssProtectionMiddleware (C:\Users\aidan\projects\Acme Bank\node_modules\helmet\dist\middlewares\x-xss-protection\index.js:6:3)

The Repo

Any help would be greatly appreciated.
Thanks,

Aidan

Hello.

You included the _csrf hidden field twice in views/transfers.ejs, so it is sent as an array with two elements. But the server expects to receive a single string value, and therefore cannot process the received data.
You can use the “Network” tab of the browser’s developer console to see what’s sent to the server. For example, in Firefox, use F12 to open it.

Hi,

Thanks for the response, can’t believe I never spotted that! I’ve removed the second input but I’m still getting the same problem when submitting the form. From what I can tell, it appears to only be submitting it as a string. Any other ideas?

Hi!

With the current version of the code, I can’t get the same error again. What form are you submitting before getting the error? And the error is exactly the same?

Hey,

I’m using the transfer form. The main error is the same but I believe it’s changed a little:

ForbiddenError: invalid csrf token
    at csrf (C:\Users\aidan\projects\Acme Bank\node_modules\csurf\index.js:112:19)
    at Layer.handle [as handle_request] (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\layer.js:95:5)
    at next (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\layer.js:95:5)
    at C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\index.js:281:22
    at Function.process_params (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\index.js:335:12)
    at next (C:\Users\aidan\projects\Acme Bank\node_modules\express\lib\router\index.js:275:10)
    at internalNext (C:\Users\aidan\projects\Acme Bank\node_modules\helmet\dist\index.js:142:6)
    at xXssProtectionMiddleware (C:\Users\aidan\projects\Acme Bank\node_modules\helmet\dist\middlewares\x-xss-protection\index.js:6:3)

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.