Express.js - CSRF Protection

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

We will install csurf extension for this. npm install --save csurf. We need to pass csrf token through controllers to each view (we can do this once in app.js) and add hidden input with name _csrf with csrf token to each view, to each post request.

app.js

const path = require('path');
const express = require('express');
const bodyParser = require('body-parser');
const app = express();
var ejs = require('ejs');

const authRoutes = require('./routes/auth');

//we will add csrf extension
const csrf = require('csurf');
const csrfProtection = csrf();

app.use(bodyParser.urlencoded({extended: false}));

//we need to add this as middleware after bodyParser
app.use(csrfProtection);

//this will push csrfToken to all rendered views, so we dont need to pass it to each view through controller separately
app.use((req, res, next) => {
    res.locals.csrfToken = req.csrfToken();
    next();
});

routes/auth.js

const path = require('path');
const express = require('express');
const router = express.Router();

const authController = require('../controllers/auth');

router.get('/login',authController.getLogin);

router.post('/login',authController.postLogin);

controllers/auth.js

exports.getLogin = (req, res, next) => {
    res.render('auth/login', {
        path: '/login',
        pageTitle: 'Login'
    });
}


exports.postLogin = (req, res, next) => {
    const email = req.body.email;
    const password = req.body.password;
   
   //user authentification
}

views/auth/login.ejs

<title><%= pageTitle %></title>
</head>

<body>
    <main>
        <div class="login">
                <div>
                    <form method="post" action="/login">
                        <div>
                            <label>email</label>
                            <input type="email" name="email" />
                        </div>

                        <div>
                            <label>password</label>
                            <input type="password" name="password" />
                        </div>

                        <div>
                            <input type="submit" value="login" />
                        </div>

                        <input type="hidden" name="_csrf" value="<%= csrfToken %>">
                    </form>
                </div>
        </div>
    </main>        
</body>
</html>