CSRF blacklist and whitelist not working as expected for multiple endpoints.

Question

CSRF blacklist and whitelist not working as expected for multiple endpoints.

gladchinda opened this issue 6 years ago · 1 comments

I am currently working with a package that uses lusca for CSRF protection and discovered that blacklisting and whitelisting does not work as expected when I pass an array of more than 1 endpoints. However, if a string or an array with just 1 endpoint is passed, it works as expected.

Here is a simple scenario from my app:

This works as expected

expressApp.use(lusca.csrf({
  blacklist: ['/hooks/user_created']
}));

This doesn't work as expected

expressApp.use(lusca.csrf({
  blacklist: [
    '/hooks/user_created',
    '/hooks/user_profile_updated',
    '/hooks/email_delivered'
  ]
}));

Answer 1 · 2018-07-30T18:36:08.000Z

Fixed in #121