X-XSRF-Token header is not setting in angular6

Question

I am getting some strange issue in my angular 6 and nodeJS web app.

I have to implement csrf protection so I have implemented csurf in node js, my node js code is given below,

let express=require('express');
let app=express();

var cookieParser = require('cookie-parser')
csrf = require('csurf');
//import body parser
let bodyParser=require('body-parser');
app.use(bodyParser.urlencoded({
    extended: true
}));
app.use(bodyParser.json());
app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin","*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept,X-XSRF-Token");
  res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
  res.header('Access-Control-Allow-Credentials', true);
  next();
});
app.use(cookieParser('ksdnfjn9834f80sa9asjfasdj'));
app.use(csrf({ cookie: true }));
app.use(function(req, res, next) {
  console.log(req.csrfToken());

  res.cookie('XSRF-TOKEN', req.csrfToken(),{ httpOnly: false,Path:"/" });
  return next();
});
app.use('/api',apiRoutes);
app.use('/admin',adminapiRoutes);

app.listen(3000,function(){
    console.log('api is listening on port'+3000);
})

my angular js code looks like this, to call api post request,

this.http.post(this.contact_api_url, {
      "name": this.contact_name,
      "email": this.contact_email,
      "message": this.contact_message
    },{withCredentials: true,headers: new HttpHeaders().set('X-XSRF-TOKEN', "token_get_in_cookie" ) }).subscribe((val) => {
      this.renderer.removeClass(loda_element,'show');
      //var msg=JSON.stringify(val);
      alertify.success(val['message']);
      this.contact_name = '';
      this.contact_email = '';
      this.contact_message = '';
      grecaptcha.reset();
      this.captcha_response = '';

    }, error => {
      this.renderer.removeClass(loda_element,'show');
      alertify.error("Error Occurred. Try Again.");
    });

Now the issue is it is not setting header any way, even not adding any other header I have also added below code in imports

HttpClientXsrfModule.withOptions({
      cookieName: 'XSRF-TOKEN',
      headerName: 'X-XSRF-TOKEN'
    }),

but nothing works it is not adding X-XSRF-TOKEN header, I have also implemented interceptor as below,

intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        let requestToForward = req;
        let token = this.tokenExtractor.getToken() as string;
        const headers: any = {};

        if (token !== null) {
            headers['X-XSRF-TOKEN'] = token; // add it to the header

            requestToForward = req.clone({ setHeaders: headers });
        }
        return next.handle(requestToForward);
    }

I am also getting token value which is set by node js code in XSRF-TOKEN but header is not setting.

Can any one have idea why header is not setting in angular 6? Note: I am working on localhost so nodeJS is running on http://localhost:3000 and angular is running on http://localhost:4200

app.use(cookieParser()); req.cookies['Your-Cookie-Name-Here'] ... did you try this? — notionquest, Dec 01 '18 at 16:19
cookie is set perfectly, the issue is angular 6 http post method does not set header, not just x-xsrf-token but any header in http request. — kishan, Dec 01 '18 at 16:21
did you test the server side api outside the angular app to confirm this? — notionquest, Dec 01 '18 at 16:22

X-XSRF-Token header is not setting in angular6

0 Answers0