{"id":110,"date":"2014-05-30T10:10:55","date_gmt":"2014-05-30T01:10:55","guid":{"rendered":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/blog\/2014\/05\/30\/express_angularjs_csrf"},"modified":"2022-10-26T09:46:16","modified_gmt":"2022-10-26T00:46:16","slug":"express_angularjs_csrf","status":"publish","type":"post","link":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/blog\/2014\/05\/30\/express_angularjs_csrf\/","title":{"rendered":"express + AngularJS \u3067CSRF\u306e\u8a2d\u5b9a"},"content":{"rendered":"

\u6700\u8fd1\u30ab\u30c3\u30d7\u30e9\u30fc\u30e1\u30f3\u306b\u7d0d\u8c46\u3092\u5165\u308c\u308b\u306e\u304c\u597d\u304d\u3067\u3001\u30ab\u30c3\u30d7\u30e9\u30fc\u30e1\u30f3\u306b\u7d0d\u8c463\u30d1\u30c3\u30af\u3068\u304b\u30c9\u30d0\u3063\u3068\u5165\u308c\u3066\u3001\u305d\u3053\u306b\u5375\u3092\u5165\u308c\u3066\u98df\u3079\u305f\u308a\u3059\u308b\u3002
\u898b\u305f\u76ee\u306f\u60aa\u3044\u3051\u3069\u610f\u5916\u3068\u3044\u3051\u308b\u306e\u3067\u3001\u8208\u5473\u3042\u308b\u65b9\u306f\u304a\u8a66\u3057\u3042\u308c\u3002<\/p>\n

\u3068\u3053\u308d\u3067\u6700\u8fd1\u306f Node.js<\/a> \u3068\u304b express<\/a> \u3068\u304b mongodb<\/a> \u3068\u304b AngularJS<\/a> \u3092\u52c9\u5f37\u4e2d\u3002
\u3053\u3061\u3089<\/a> \u306e\u30c7\u30e2\u30a2\u30d7\u30ea\u3092\u30d9\u30fc\u30b9\u306b\u3044\u308d\u3044\u308d\u3068\u3044\u3058\u3063\u3066\u5909\u66f4\u3057\u306a\u304c\u3089\u3001\u6319\u52d5\u3092\u78ba\u8a8d\u3057\u3064\u3064\u52c9\u5f37\u3057\u3066\u308b\u3051\u3069\u3001\u3069\u308c\u3082\u52c9\u5f37\u3057\u59cb\u3081\u3067\u3064\u307e\u305a\u304f\u3053\u3068\u304c\u591a\u3044\u3002
\u4eca\u56de\u306f\u3001AngularJS \u3067\u30c7\u30fc\u30bf\u306e\u66f4\u65b0\u3092\u3057\u3088\u3046\u3068\u3057\u305f\u3068\u304d\u306b\u3001express \u5074\u3067 CSRF \u30a8\u30e9\u30fc\u304c\u51fa\u305f\u306e\u3067\u3001\u305d\u306e\u5185\u5bb9\u3068\u5bfe\u51e6\u65b9\u6cd5\u3092\u307e\u3068\u3081\u3066\u307f\u305f\u3002<\/p>\n

CSRF \u30a8\u30e9\u30fc<\/h2>\n

AngularJS \u3067\u30c7\u30fc\u30bf\u66f4\u65b0\u3092\u3057\u3088\u3046\u3068\u3057\u305f\u3068\u3053\u308d\u3001express \u5074\u3067\u4e0b\u8a18\u306e\u3088\u3046\u306a\u30a8\u30e9\u30fc\u304c\u51fa\u305f\u3002<\/p>\n

Error: Forbidden\n    at Object.exports.error (\/home\/nodejs\/em_test\/node_modules\/express\/node_modules\/connect\/lib\/utils.js:63:13)\n    at createToken (\/home\/nodejs\/em_test\/node_modules\/express\/node_modules\/connect\/lib\/middleware\/csrf.js:82:55)\n    at Object.handle (\/home\/nodejs\/em_test\/node_modules\/express\/node_modules\/connect\/lib\/middleware\/csrf.js:48:24)\n    at next (\/home\/nodejs\/em_test\/node_modules\/express\/node_modules\/connect\/lib\/proto.js:193:15)\n    at Object.handle (\/home\/nodejs\/em_test\/node_modules\/view-helpers\/index.js:65:5)\n    at next (\/home\/nodejs\/em_test\/node_modules\/express\/node_modules\/connect\/lib\/proto.js:193:15)\n    at Object.handle (\/home\/nodejs\/em_test\/node_modules\/connect-flash\/lib\/flash.js:21:5)\n    at next (\/home\/nodejs\/em_test\/node_modules\/express\/node_modules\/connect\/lib\/proto.js:193:15)\n    at SessionStrategy.strategy.pass (\/home\/nodejs\/em_test\/node_modules\/passport\/lib\/middleware\/authenticate.js:314:9)\n    at \/home\/nodejs\/em_test\/node_modules\/passport\/lib\/strategies\/session.js:61:12\nPUT \/admin\/expenses\/537bfa12db0460ff19812b80 500 490ms<\/code><\/pre>\n
CSRF<\/a> \u306e\u30a8\u30e9\u30fc\u3002
\nexpress \u3067\u306f\u3001\u78ba\u304b\u306b CSRF \u306e\u8a2d\u5b9a\u3057\u3066\u3001\u30d5\u30a9\u30fc\u30e0\u306b\u4e0b\u8a18\u306e\u884c\u3092\u66f8\u3044\u3066\u304a\u308a\u3001<\/p>\n
input(type="hidden", name="_csrf", value="#{csrf_token}")<\/code><\/pre>\n
\u3053\u3093\u306a\u611f\u3058\u3067\u5024\u304c\u5165\u3063\u3066\u3044\u305f\u306a\u30fc\u3068\u3002<\/p>\n
<input type="hidden" name="_csrf" value="hSPcdgooM3t461mJRl98Zx6o9KeNLU18ncXEA="><\/code><\/pre>\n
AngularJS \u3067\u306f\u305d\u3046\u3044\u3046\u8a2d\u5b9a\u3057\u3066\u306a\u3044\u3057\u3001\u30a8\u30e9\u30fc\u304c\u51fa\u308b\u306e\u3082\u7d0d\u5f97\u3002
\u3068\u3044\u3046\u3053\u3068\u3067\u3001express + AngularJS \u3067\u306e CSRF \u306e\u8a2d\u5b9a\u65b9\u6cd5\u3092\u8abf\u3079\u3066\u3084\u3063\u3066\u307f\u305f\u3002
\u53c2\u8003URL\uff1a
Using CSRF protection with Express and AngularJS<\/a>
ExpressJS, AngularJS and Cross-site request forgery (csrf) protection<\/a><\/p>\n
\u5bfe\u5fdc\u65b9\u6cd5<\/h2>\n
1. express \u30a2\u30d7\u30ea\u306b CSRF middleware \u3092\u8a2d\u5b9a<\/h5>\n
\u307e\u305a\u3001CSRF middleware \u3092\u8ffd\u52a0\u3002
\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u6271\u3048\u306a\u3044\u3068\u30c0\u30e1\u306a\u306e\u3067\u3001session() \u306e\u5f8c\u306b\u8ffd\u52a0\u3059\u308b\u3053\u3068\u3002
\u4eca\u56de\u306e\u30c7\u30e2\u30a2\u30d7\u30ea\u306b\u306f\u65e2\u306b\u8a2d\u5b9a\u6e08\u307f\u3060\u3063\u305f\u3051\u3069\u3002<\/p>\n
app.use(express.csrf());<\/code><\/pre>\n
2. AngularJS \u7528\u306b cookie \u8a2d\u5b9a<\/h5>\n
Cross Site Request Forgery (XSRF) Protection<\/a><\/p>\n
\n
 Angular provides a mechanism to counter XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN).  <\/p>\n<\/blockquote>\n
AngularJS \u306e $http \u30b5\u30fc\u30d3\u30b9\u3067\u306f\u3001cookie \u306e XSRF-TOKEN \u3092\u8aad\u3093\u3067\u3001HTTP \u30d8\u30c3\u30c0\u30fc\u306b X-XSRF-TOKEN \u3068\u3057\u3066\u30bb\u30c3\u30c8\u3059\u308b\u306e\u3067\u3001express \u5074\u3067 cookie \u306e XSRF-TOKEN \u3068\u3057\u3066\u5024\u3092\u5165\u308c\u3066\u3084\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n
app.use(function(req, res, next){\n  res.locals.csrf_token = req.csrfToken();\n  res.cookie('XSRF-TOKEN', req.csrfToken()); \/\/ \u3053\u306e\u884c\u3092\u8ffd\u52a0\n  next();\n});<\/code><\/pre>\n
3. CSRF middleware \u306e token \u8a2d\u5b9a *1<\/h5>\n
express 3.x docs - csrf()<\/a><\/p>\n
\n
The default value function checks req.body generated by the bodyParser() middleware, req.query generated by query(), and the "X-CSRF-Token" header field.  <\/p>\n<\/blockquote>\n
CSRF middleware \u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306f\u3001req.body \u3084 req.query \u3084\u30d8\u30c3\u30c0\u30fc\u306e X-CSRF-Token \u3092\u898b\u306b\u884c\u304f\u3002
AngularJS \u306f X-XSRF-TOKEN \u3092\u4f7f\u3046\u306e\u3067\u3001express \u5074\u3067\u30d8\u30c3\u30c0\u30fc\u306e X-XSRF-TOKEN \u3092\u898b\u306b\u884c\u304f\u3088\u3046\u306b\u8a2d\u5b9a\u3057\u3066\u3084\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002
\u65e2\u5b58\u306e\u51e6\u7406\u306b\u3001Angular \u306b\u5fc5\u8981\u306a req.headers['x-xsrf-token'] \u3092\u8ffd\u52a0\u3067\u898b\u306b\u884c\u304f\u30d5\u30a1\u30f3\u30af\u30b7\u30e7\u30f3\u4f5c\u6210\u3002  <\/p>\n
var csrfValue = function(req) {\n  var token = (req.body && req.body._csrf)\n    || (req.query && req.query._csrf)\n    || (req.headers['x-csrf-token'])\n    || (req.headers['x-xsrf-token']); \/\/ \u3053\u306e\u884c\u3092\u8ffd\u52a0\u3002\n  return token;\n};<\/code><\/pre>\n
    \n
  1. \u3067\u8ffd\u52a0\u3057\u305f\u3001csrf() \u306b value \u3068\u3057\u3066\u8a2d\u5b9a\u3059\u308b\u3002<\/li>\n<\/ol>\n
    app.use(express.csrf({value: csrfValue}));<\/code><\/pre>\n
    *1 express \u306e 4.x \u3067\u306f\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067 x-xsrf-token \u3082\u898b\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u3066\u3001\u3053\u306e\u8a2d\u5b9a\u304c\u5fc5\u8981\u306a\u3044\u3088\u3046\u306a\u306e\u3067\u6ce8\u610f\u3002
    csrf(options)<\/a><\/p>\n
    \n
    The default function checks four possible token locations:
    _csrf parameter in req.body generated by the body-parser middleware.
    _csrf parameter in req.query generated by query().
    x-csrf-token and x-xsrf-token header fields.<\/p>\n<\/blockquote>\n
    \u3068\u3001\u3053\u3053\u307e\u3067\u66f8\u3044\u3066\u5b9f\u969b\u306b\u30c7\u30e2\u30a2\u30d7\u30ea\u3067\u4f7f\u3063\u3066\u3044\u308b csrf.js \u3092\u898b\u3066\u307f\u305f\u3089\u3061\u3083\u3093\u3068<\/p>\n
        || (req.headers['x-xsrf-token']);<\/code><\/pre>\n
    \u304c\u5165\u3063\u3066\u3044\u305f\uff01
    \u4f7f\u3063\u3066\u3044\u308b express \u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u30013.4.8\u306a\u3093\u3060\u3051\u3069\u3002
    2013\u5e74\u306e7\u6708\u306b\u5bfe\u5fdc\u3055\u308c\u3066\u3044\u308b\u3063\u307d\u3044\u2026\u3002
    Update csrf.js \u00b7 b236bc3 \u00b7 senchalabs\/connect<\/a>  <\/p>\n
    express 3.x docs - csrf()<\/a> \u304c\u6700\u65b0\u306e\u60c5\u5831\u306b\u66f4\u65b0\u3055\u308c\u3066\u306a\u3044\u306e\u304b\u306a\u2026\u3002
    \u305b\u3063\u304b\u304f\u306a\u306e\u3067\u3001\u53e4\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u306e express \u3092\u304a\u4f7f\u3044\u306e\u65b9\u306b\u53c2\u8003\u306b\u306a\u308c\u3070\u3001\u3068\u3053\u3053\u307e\u3067\u66f8\u3044\u305f\u5185\u5bb9\u306f\u6b8b\u3057\u3066\u304a\u3053\u3046\u2026\u3002  <\/p>\n
    4. AngularJS \u3067\u30c7\u30fc\u30bf\u66f4\u65b0<\/h5>\n
    express \u5074\u3067\u8a2d\u5b9a\u304c\u3067\u304d\u305f\u3089\u3001\u5f8c\u306f AngularJS \u5074\u3067\u306f\u901a\u5e38\u901a\u308a\u3001\u30c7\u30fc\u30bf\u66f4\u65b0\u51e6\u7406\u3092\u884c\u3048\u3070OK\u3002
    \u4f8b\u3048\u3070\u3053\u3093\u306a\u611f\u3058\u3067\u3001\u30c7\u30fc\u30bf\u66f4\u65b0\u3002  <\/p>\n
    app.controller('EditCtrl', ['$scope', '$location', 'expense',\n  function($scope, $location, expense) {\n    $scope.expense = expense;\n\n    $scope.save = function() {\n      $scope.expense.$update(function(expense) {\n        $location.path('\/admin\/#\/expenses\/' + expense.id);\n      });\n    };\n\n  }\n]);<\/code><\/pre>\n
    \u307e\u3068\u3081<\/h2>\n
    express + AngularJS \u306e CSRF \u8a2d\u5b9a\u306f\u610f\u5916\u3068\u7c21\u5358\u306b\u3067\u304d\u3061\u3083\u3046\u3093\u3060\u306a\u3001\u3068\u3044\u3046\u5370\u8c61\u3002
    \u305d\u308c\u3068\u3001\u30d6\u30ed\u30b0\u306b\u307e\u3068\u3081\u308b\u3063\u3066\u3044\u3046\u306e\u306f\u81ea\u5206\u306e\u7406\u89e3\u3092\u6df1\u3081\u308b\u4e0a\u3067\u3044\u3044\u3053\u3068\u3060\u306a\u3001\u3068\u3002
    \u4eca\u56de\u3082\u3053\u308c\u3092\u66f8\u304d\u306a\u304c\u3089\u3001\u5b9f\u306f\u4e0d\u8981\u306a\u51e6\u7406\u304c\u3042\u3063\u305f\u306e\u306b\u6c17\u3065\u3051\u305f\u306e\u3067\u2026\u3002  <\/p>\n","protected":false},"excerpt":{"rendered":"
    \u6700\u8fd1\u30ab\u30c3\u30d7\u30e9\u30fc\u30e1\u30f3\u306b\u7d0d\u8c46\u3092\u5165\u308c\u308b\u306e\u304c\u597d\u304d\u3067\u3001\u30ab\u30c3\u30d7\u30e9\u30fc\u30e1\u30f3\u306b\u7d0d\u8c463\u30d1\u30c3\u30af\u3068\u304b\u30c9\u30d0\u3063\u3068\u5165\u308c\u3066\u3001\u305d\u3053\u306b\u5375\u3092\u5165\u308c\u3066\u98df\u3079\u305f\u308a\u3059\u308b\u3002\u898b\u305f\u76ee\u306f\u60aa\u3044\u3051\u3069\u610f\u5916\u3068\u3044\u3051\u308b\u306e\u3067\u3001\u8208\u5473\u3042\u308b\u65b9\u306f\u304a\u8a66\u3057\u3042\u308c\u3002 \u3068\u3053\u308d\u3067\u6700\u8fd1\u306f Node.js \u3068\u304b express \u3068\u304b mongodb \u3068\u304b AngularJS \u3092\u52c9\u5f37\u4e2d\u3002\u3053\u3061\u3089 \u306e\u30c7\u30e2\u30a2\u30d7\u30ea\u3092\u30d9\u30fc\u30b9\u306b\u3044\u308d\u3044\u308d\u3068\u3044\u3058\u3063\u3066\u5909\u66f4\u3057\u306a\u304c\u3089\u3001\u6319\u52d5\u3092\u78ba\u8a8d\u3057\u3064\u3064\u52c9\u5f37\u3057\u3066\u308b\u3051\u3069\u3001\u3069\u308c\u3082\u52c9\u5f37\u3057 […]<\/p>\n","protected":false},"author":3,"featured_media":684,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[30,28],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/posts\/110"}],"collection":[{"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/comments?post=110"}],"version-history":[{"count":1,"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/posts\/110\/revisions"}],"predecessor-version":[{"id":3337,"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/posts\/110\/revisions\/3337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/media?parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/categories?post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/p-corporate-blog-cms.mmmcorp.co.jp\/wp-json\/wp\/v2\/tags?post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}