Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] Shouldn't /csrfToken route match "first", before what's in config/routes.js and config/blueprints.js #2360

Closed
akhoury opened this issue Nov 4, 2014 · 7 comments
Closed

[question] Shouldn't /csrfToken route match "first", before what's in config/routes.js and config/blueprints.js #2360

akhoury opened this issue Nov 4, 2014 · 7 comments

Comments

@akhoury
Copy link

akhoury commented Nov 4, 2014

In a SPA using pushState, I made some changes to the routes to forward all requests except assets and api request to the main homepage view, where Backbone will pickup the requested route, with excellent help from @sgress454

However, when CSRF (with ajax) is enabled, /csrfToken was being treated just all other routes, the request was never making it to its destination.

I realize that with my catch-all routes /* config this was very easy to debug, however, I am not sure if that's the best approach.

Question:

Shouldn't /csrfToken have a precedence over what's in the config.routes? if not, should be at least have an option to use a different route, something like

module.exports.csrf = {
    grantTokenViaAjax: true,
    route: '/somewhere-different/csrfToken'
};

instead of doing this?

config/routes.js

module.exports.routes = {
    '/*': {
        view: 'homepage',
        skipAssets: true,
        skipRegex: /^\/api\/.*$|^\/csrfToken$/ // <--- had to add the csrfToken to be skipped
    }
}

Thank you
@konstantinzolotarev
Copy link
Member

Unfortunately no.
There is no such config option. And url is hardcoded into hook to /csrfToken.

sails.config.routes["/csrfToken"] = {target: csrfToken, cors: {origin: sails.config.csrf.origin, credentials:true}};

So you have to handle this outside of sails csrf configuration.

@akhoury
Copy link
Author

akhoury commented Nov 4, 2014

Would this thread be a legitimate request to leave the issue open? if not, just close it.
Thank you

@sgress454
Copy link
Member

The main issue at play here is that, for better or worse, routes in sails.config.routes are processed in the order that they are placed in the hash. The csrfToken route needs to be in that hash so that the CORS hook can process it, but the way it's currently added, it's being placed at the end. It's possible this could be fixed by changing that line in the csrf hook to:

sails.config.routes = sails.util.extend(
   {
      "/csrfToken": {target: csrfToken, cors: {origin: sails.config.csrf.origin, credentials:true}}
   },
   sails.config.routes
);

@akhoury, if you want to experiment with that and issue a pull request, I'd be grateful!

@akhoury
Copy link
Author

akhoury commented Nov 4, 2014

Will do

@konstantinzolotarev
Copy link
Member

@sgress454
May be it will be really better to add a config to csrf to change the default csrf route ?

@sgress454
Copy link
Member

@konstantinzolotarev that's a separate issue. If you want to set up the CSRF hook to be configurable in that way and submit a PR, feel free!

@konstantinzolotarev
Copy link
Member

@sgress454 Done. and also applied sails.util.extend to route binding in #2366

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@konstantinzolotarev @sgress454 @akhoury @loicsaintroch