CSRF token missing for enctype="multipart/form-data"

[erbridge]

I'm using lusca without krakenjs and am trying to get CSRF working with an image upload. I am parsing the form later in my route logic using multer.

How can I get CSRF to work with this?

[jasisk]

multer will have to be earlier in the continuation than lusca as lusca needs to pluck the token off of the body (which isn't parsed until the multer middleware).

[erbridge]

That's impractical for my use case. Alternatively, is there a built in way to exclude routes from requiring CSRF?

[jasisk]

Sure thing. Check out the section on Route paths in the expressjs guide on routing. Short version is you can write a regular expression with a negative lookahead assertion. I wrote a small demo project documenting some middleware registration patterns which includes a blacklist pattern leveraging this.

In your case, since you're using vanilla express, I'd recommend writing a true regular expression instead of the string-based pattern I used in the above example project.

Closing but feel free to continue the conversation.

[erbridge]

Ah. Didn't know you could do that. Still not ideal, but it'll suffice. Thanks.