Is it possible to exclude specific URLs from CSRF protection in sails.js?

I am currently integrating Stripe with my sails.js server and need to disable CSRF for specific URLs in order to utilize Stripe's webhooks effectively.

Is there a way to exempt certain URLs from CSRF POST requirements within sails.js? I have searched for configuration options related to CSRF but can only find settings to enable it globally. Upon reviewing the source code for the csrf hook (https://github.com/balderdashy/sails/blob/master/lib/hooks/csrf/index.js), it seems that any custom object provided gets replaced by the global settings anyway.

Appreciate any insights on this issue.

javascriptnode.jssails.jscsrfstripe-payments

Answer №1

After diving into the csrf hook mentioned in the question, I was able to figure it out.

Starting from version 0.11.0:

When providing an object with settings in the csrf.js config file, all settings are simply overwritten with "default on." As a result, the csrf object ends up like this:

{
  grantTokenViaAjax: true,
  protectionEnabled: true,
  origin: '-',
  routesDisabled: '-'
}

To add route exemptions to the object, you must do so after the initial setup, which I did in config/bootstrap.js. For example, to add the route "":

// In bootstrap.js
sails.config.csrf.routesDisabled = "/webhooks/testhook";

If you need to add multiple hooks, they can be included in the same string separated by commas:

// In bootstrap.js
sails.config.csrf.routesDisabled = "/webhooks/testhook,/webhooks/anotherhook";

Answer №2

Murcho's solution is effective, but there is actually a specific config file in sails v0.11 for this purpose:

Inside config/csrf.js, you will find a comments block placed after enabling csrf protection:

/****************************************************************************
*                                                                           *
* You may also specify more detailed settings for CSRF, such as the          *
* domains allowed to request the CSRF token via AJAX. These settings         *
* override the general CORS settings in your config/cors.js file.            *
*                                                                           *
****************************************************************************/

// module.exports.csrf = {
//    grantTokenViaAjax: true,
//    origin: ''
// }

To customize further, simply add a new configuration object:

module.exports.csrf = {
  "routesDisabled": "/webhooks/testhook,/webhooks/anotherhook"
}

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Unique Tags and Javascript: A customized approach

In the process of developing a web application, I am aiming for high standardization. To achieve this goal, I plan to utilize custom namespace tags that will be modified by JavaScript based on their functionality. For instance: <script type="text/java ...

javascripthtmlxml-namespaces

Interacting with various Node.js APIs from a React frontend

Hey there! I'm currently working on a project that utilizes Node.js (Typescript) for the backend and React with Express for the frontend. The backend consists of 3 docker containers, each assigned to different ports - 1 for Postgres, 2 for ServiceA, ...

node.jsreactjsdocker

Remember to always call "done()" in Typescript + Mocha/Chai when dealing with async tests and hooks. Additionally, when returning a Promise, make sure it resolves correctly

It seems like I'm facing an old issue that I just can't seem to resolve, despite trying everything in my power. The error message reads: Error: Timeout of 2000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Pro ...

node.jstypescriptmocha.jschai

My Vue.js accordion menu component is experiencing issues with toggle flags, causing it to malfunction

I have been working on my test case using Vue and I recently created a component called MultiAccordion. My intention was to open each slide based on the value of the status[index] flag. However, I am encountering an issue as this component does not seem ...

javascriptvue.js

Effectively implementing an event observer for dynamically loaded content

I want to set up an event listener that triggers when any of the Bootstrap 3 accordions within or potentially within "#myDiv" are activated. This snippet works: $('#myDiv').on('shown.bs.collapse', function () { //code here }); Howeve ...

javascriptjqueryajaxtwitter-bootstrap

Set up Express.js using npm

Just set up nodejs on my Ubuntu 14.04 system. Upon running node --version, I see that it's v4.4.2. Also, npm is installed with version 3.9.2. When I execute the command npm install -g express, this is the output I get: install express js Once the ins ...

node.jsexpressnpm

What are the reasons for a Lambda function not being triggered when added as a target to an Event Bridge Rule?

I have encountered an issue with setting a rule and a lambda target for EventBridge. Although I have successfully added the rule and target, the Lambda is not being triggered. Additionally, when I look at the target Lambda function on the AWS Console, I do ...

node.jsamazon-web-servicesaws-lambdaserverless-frameworkaws-event-bridge

Obtaining the Server IP Address for Email Communication in Node.js

Currently, I am utilizing nodemailer to send emails in nodejs. The process of embedding hyperlinks into the email body is functioning smoothly. Below is a snippet of my sample email body: `This is a confirmation email.\n Plea ...

node.jsemailexpressnodemailer

What is the best way to update just the image path in the source using jQuery?

I am currently working on implementing a dark mode function for my website, and I have successfully adjusted the divs and other elements. However, I am facing an issue with changing the paths of images. In order to enable dark mode, I have created two sep ...

javascripthtmljquerycss

What could be the reason behind receiving an "undefined" message when attempting to access db.collection in the provided code snippet?

var express = require('express'); var GoogleUrl = require('google-url'); var favicon = require('serve-favicon'); var mongo = require('mongodb').MongoClient; var app = express(); var db; var googleUrl = new GoogleUrl( ...

javascriptnode.jsmongodbexpress

Error: Unable to assign value to property 'className' of undefined object

On my http://localhost:3000/renewal page, the code looks like this: import Link from 'next/link' export default function Renewal() { return ( <header> <Link href="/"> <a> Go to home page ...

javascriptreactjsnext.js

Implementing specifications throughout the entire nodejs route

In my Nodejs app, I have a RESTful API where I need to check for a user's role before sending a response with data or 404 error. apiRouter.route('/users') .get(function (req, res) { var currentUser = req.decoded; if(curr ...

javascriptnode.jsexpress

Having trouble accessing JSON file again: "Encountered unexpected end of input error"

I have set up a cron-based scheduler to periodically retrieve JSON data from an external API every 2 minutes. The process involves writing the data to a file, reading it, cleaning it, and then storing it in a MongoDB collection. Everything works smoothly o ...

javascriptjsonnode.jsmongodb

Efficiently handling AWS Lambda responses by sending them before awaiting the completion of a database query using the

I am currently working on a serverless framework node js function that initializes a mysql DB and runs a query using ES6 to return an HTTP response. Is there a way for the response to be returned before the completion of the DB call? For example, in ...

mysqlnode.jsaws-lambdaserverlessserverless-framework

The "mkdir" command is malfunctioning in an npm script on Linux, whereas it is functioning properly

My "prebuild" script is designed to create a specific folder structure: mkdir -p dist/{server,shared,client/{css,js,fonts,img}} The desired output should be: dist server shared client css js fonts img When I ...

node.jslinuxbashubuntunpm

Ways to retrieve a concealed DOM element from a background window

I have been struggling to display a button that is located in the background window using the jQuery code below, but unfortunately it's not functioning as expected. On my webpage, I have a hidden button that should only be visible when a user adds a ...

javascriptjquery

What is the method for graphing data points that include two different y values?

I have been on the lookout for a solution to this question for quite some time now. While there are a few options that come close, I am yet to find the perfect answer. My goal is to create a line chart displaying water levels over time. I would like the d ...

javascripthighcharts

Obtaining the mouse position in JavaScript in relation to the website, preferably without relying on jQuery

I came across this code snippet on Ajaxian, but I am having trouble using cursor.y (or cursor.x) as a variable. When I call the function with it that way, it doesn't seem to work. Could there be a syntax issue or something else causing the problem? f ...

javascriptjquery-uimouse-position

Can the Angular link function activate the change event?

I am facing an issue with my Angular directive that includes a link function. Inside this function, I am initializing a jQuery plugin which can be seen in action here: https://plnkr.co/edit/58nOhypt6FRdI4At5jwu. The problem arises when every time the dire ...

javascriptjqueryangularjsangularjs-directive

Tips for automatically updating a MaterialUI DataGrid in a React JS application

Here's an overview of my current project: Users can save rows from deletion by clicking checkboxes (multiple rows at a time). Any unchecked records are deleted when the user hits the "purge records" button. I received some guidance on how to achieve ...

javascriptreactjsreact-nativematerial-ui