-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid csrf token when on multipart/form-data #53
Comments
I solved this but adding:
to the form. Removed the hidden field for csrf token. |
Hm, that's interesting...the hidden field should have done the trick, though your fix is also valid. I'll look into this.... |
Experiencing the same problem, tried both Formidable and Multer. The problem also appears only with multipart/form-data forms in my case. I confirm Markzero's fix works, the difference with my code is that I do app.use(csrf({cookie: true})); It's interesting why hidden field doesn't work. Can the problem lie within csurf or formidable/multer when they interact with multipart/form-data? |
Ok, I've found the solution here - https://github.com/expressjs/csurf/issues/58 (the issue is also mentioned here - https://github.com/expressjs/csurf/issues/15). Your app.js, a basic picture upload app:
Your main.html in /views:
Now, you can check if it works by removing hidden input from your html and trying to upload something, it will fail complaining about invalid token. |
@jason-ca ....Thank you so much........ it actually works |
The only issue with @jason-ca's solution is that multer will still upload the files if the CSRF fails (because multer processing happens before the CSRF check is performed). |
I think the problem is that: |
still i got the same issues, invalid csrf token |
@markzero you are still saving lives in 2019, thank you ! |
This can be done by putting the token in the header and submitting the form via ajax |
A possible crumby work around is adding |
I found that using express-fileupload over multer works better. This module supports uploads to memory, so no files are written before the CSRF token is validated. (Only good for small files, of course!) |
When I'm using formidable and upload image fields in forms with enctype=multipart/form-data, I'm getting "invalid csrf token" error message. When I remove enctype from the form, it works.
Any ideas?
Thanks
My middlewares:
The text was updated successfully, but these errors were encountered: